Thank you for your pull request. Before we can look at it, you'll need to sign a Contributor License Agreement (CLA).

Please follow instructions at https://icinga.com/company/contributor-agreement to sign the CLA.

After that, please reply here with a comment and we'll verify.

Contributors that have not signed yet: @OdyX

@cla-bot check

I don't think setting vars.ssl_cert_cn = "$ssl_cert_altnames$" for compatibility works.

check_ssl's --altnames (via ssl_cert_altnames) is a simple flag, but --match (via ssl_cert_cn) expects a pattern. So when the boolean ssl_cert_altnames is set but ssl_cert_cn isn't, check_ssl is called with --match false or --match true, which results in false negatives.

I've side-stepped this by setting ssl_cert_cn to a an actual pattern.

Hi @jktr, and thanks for reporting!

That change indeed doesn't make any sense! Can you please submit a PR that reverts d3d74c2 or a new issue? This PR is merged and will quickly get lost!

@yhabteab Thanks for confirming the problem. I've opened a PR at #10611

edit: Due to the CCLA requirement, I won't be able to contribute a PR for this. I've opened an issue at #10615 instead to avoid this getting lost.

Good catch, thank you all for finding this out. I can't understand why past me proposed this without seeing the flag aspect, but here we are; I'm glad some more eyes landed on this issue!

I can't understand why past me proposed this without seeing the flag aspect, but here we are;

Hi, I don't think it's your fault :)! It's introduced by this liip-forks#1.