Add support for AIA (Authority Information Access)

[devops-cafex]

Can we please look at adding support for AIA (Authority Information Access)

https://www.rfc-editor.org/rfc/rfc3280#section-4.2.2.1

[electron0zero]

can you share more on how it would be useful to the users? and the possible use-cases it will solve?

[devops-cafex]

Sure hopefully this helps

Monitoring endpoints secured by https certificate but dont have the intimedatory certs within the chain
e.g.
Blackbox monitoring third party private API's to report on their availablity that are configured with public certifcates that dont have the intimidatory certs within the chain, popular web browsers and stacks use AIA to pull these certs and connect without connection errors however blackbox fails to connect without ignoring certificate errors.

[electron0zero]

can you share some examples of websites that blackbox_exporter fails on? maybe share a check config?

[devops-cafex]

Sure thing so if we use this site as the example

https://incomplete-chain.badssl.com/

From a browser like Chrome this loads fine as AIA is enabled

If we curl or a wget without AIA we get

wget https://incomplete-chain.badssl.com/
Connecting to incomplete-chain.badssl.com (104.154.89.105:443)
wget: note: TLS certificate validation not implemented
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer

curl https://incomplete-chain.badssl.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Due to the missing intermediate cert

NOTE mac has AIA now on curl so curl will work off mac but from a linux container etc it will fail as above

then in blackbox exporter we have

config:
  modules:
    http_ok:
      prober: http
      timeout: 5s
      http:
        valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] 
        valid_status_codes: []
        follow_redirects: false
        preferred_ip_protocol: "ip4" # defaults to "ip6"
        ip_protocol_fallback: false  # no fallback to "ip6"

then a job in prometheus for

- job_name: http
  honor_timestamps: true
  track_timestamps_staleness: false
  params:
    module:
    - http_ok
  scrape_interval: 1m
  scrape_timeout: 10s
  scrape_protocols:
  - OpenMetricsText1.0.0
  - OpenMetricsText0.0.1
  - PrometheusText1.0.0
  - PrometheusText0.0.4
  metrics_path: /probe
  scheme: http
  enable_compression: true
  follow_redirects: true
  enable_http2: true
  relabel_configs:
  - source_labels: [__address__]
    separator: ;
    target_label: __param_target
    replacement: $1
    action: replace
  - source_labels: [__param_target]
    separator: ;
    target_label: instance
    replacement: $1
    action: replace
  - separator: ;
    target_label: __address__
    replacement: prometheus-blackbox-exporter:9115
    action: replace
  static_configs:
  - targets:
    - https://incomplete-chain.badssl.com
    - https://badssl.com/

The the test for https://badssl.com/ which is fine works as expected but https://incomplete-chain.badssl.com fails as blackbox doesnt support AIA to fill in the incomplete cert

It would make sense to add a flag I think to enable it if its wanted for that module as I can see the argument that just setup certs properly and its not and issue but so many are missing the intermidate certs

Hope thats helpful

[electron0zero]

I read up more on AIA, and I think it makes sense for browsers to have the support it, but I can't think of the reasons to have a certificate that don't have the intimidatory certs (in cases where you control the target you are probing)

From what I read online, it's generally not recommended to have a cert chain with missing intimidatory certs, but I also understand that you don't always control the targets you probe.

we can consider this, feel free to send a PR but it should be behind the flag, and disabled by default.