Incorrect valid until date shown when skipping first element #542
Description
Describe the bug
When skipping the first element in a certificate chain and the certificate is OK, check_ssl_cert displays the expiry date from the skipped first element, but the correct number of days until expiry.
To Reproduce
The correct display for the first element in the chain:
$ ./check_ssl_cert --host www.microsoft.com
SSL_CERT OK - www.microsoft.com:443, https, x509 certificate 'www.microsoft.com' from 'Microsoft Corporation' valid until Aug 21 16:01:06 2025 GMT (expires in 72 days)|days_chain_elem1=72;20;15;; days_chain_elem2=442;20;15;;
The incorrect display for the second element in the chain using the expiry date of the first element, when the result is OK:
$ ./check_ssl_cert --host www.microsoft.com --skip-element 1
SSL_CERT OK - www.microsoft.com:443, https, x509 certificate 'www.microsoft.com' from 'DigiCert Inc' valid until Aug 21 16:01:06 2025 GMT (expires in 442 days)|days_chain_elem2=442;20;15;;
The correct display for the second element in the chain using the expiry date of the second element, when the result is WARN or CRITICAL:
$ ./check_ssl_cert --host www.microsoft.com --skip-element 1 --warning 500
SSL_CERT WARN www.microsoft.com:443: x509 certificate element 2 (Microsoft Azure RSA TLS Issuing CA 04) will expire in 442 day(s) on Aug 25 23:59:59 2026 GMT |days_chain_elem2=442;500;15;;
Expected behavior
It should display the expiry date for the second element in the chain, not the skipped first:
$ ./check_ssl_cert --host www.microsoft.com --skip-element 1
SSL_CERT OK - www.microsoft.com:443, https, x509 certificate 'www.microsoft.com' from 'DigiCert Inc' valid until Aug 25 23:59:59 2026 GMT (expires in 442 days)|days_chain_elem2=442;20;15;;
System (please complete the following information):
- OS: Debian
- OS version: 12
- check_ssl_cert version: 2.93.0
- OpenSSL version (
openssl version): 3.0.16
Additional context/output
The use case for this is monitoring the expiry date for our internal CA, by monitoring a local HTTPS server with the certificate chain Root > Intermediate > Server.