[inputs.x509_cert] Error in plugin: cannot get SSL cert Issue

Getting the following issue with one certificate:

[inputs.x509_cert] Error in plugin: cannot get SSL cert: tls: failed to parse certificate from server: x509: invalid certificate policies

I can test from openssl and it works fine. My other certs I’m checking with telegraf is working fine as well:

openssl s_client -servername server -connect server:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Jun 21 22:55:36 2022 GMT
notAfter=Jun 20 22:55:36 2025 GMT

This error comes from the Go library parsing the policies of the certificate. I see one upstream issue where a user did not provide a reproducer and another upstream issue but was fixed in go1.17+.

If you pipe the cert to openssl x509 --text what are the policies listed (e.g. X509v3 Certificate Policies:)?

What version of telegraf are you using as well?

Telegraf 1.25.0 (git: HEAD@4d17ec79)

And what are you looking for in the cert? I can only post so much information due to sensitivity

I did find out this cert is issued from our Windows CA. The others are Digicert

Is there a --ignore-ca-cert switch?

To be blunt, I am not sure :slight_smile: Clearly the Go cert parser doesn’t like something in those policies. I was curious if you see anything that doesn’t look right either.

Is there a --ignore-ca-cert switch?

The only option that the x509 plugin has is the exclude_root_certs which omits root certs and outputs leaf certs.

I tried that just now. Same error:

[inputs.x509_cert] Error in plugin: cannot get SSL cert ‘https://server:443’: tls: failed to parse certificate from server: x509: invalid certificate policies

I ran telegraf --test | grep x509.

I see the first three certs get tested, but the fourth is ignored or nothing in output in regards to the cert. Is it’s placement in the config a contributing factor?

Without a config or some actual output it is hard to say.

Server 4 is the problem cert:

sources = [“https://server1:443”, “https://www.server2:443”, “https://server3:443”, “https://server4:443”]
timeout = “15s”
exclude_root_certs = true

In the logs:

[inputs.x509_cert] Error in plugin: cannot get SSL cert ‘https://server4:443’: tls: failed to parse certificate from server: x509: invalid certificate policies

The first three certs are issued from DIgisign. The fourth is issued from a local Windows CA

ok so the fourth is also the one that is returning an error, so as a result there won’t be any metrics about it. Placement should not have anything to do with it in your case. Does that align with what you are seeing?

Yeah the other three are in InfluxDB. No reading for the fourth. Like I said, the fourth cert is from a local Windows CA. Does that have any bearing? Also is there a command line to check what telegraf is looking for?

I would take a step back and go back to the error message. It was complaining about the properties. Do you have any other certs with those same properties that work? Could you create one by hand and try it?

What properties can I look for at a command line level?

As mentioned earlier I would take a look at openssl x509 --text and see what you find there.

I can only do so much with no additional information or no way to reproduce.

depth=2 CN = SERVERCA03
verify return:1
depth=1 DC = dom, DC = domain, CN = isllc-SERVERCA03-CA-1
verify return:1
depth=0 C = US, ST = STATE, L = City, O = Company, CN = server4
verify return:1
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC = dom, DC = domain, CN = isllc-SERVERCA03-CA-1
Not Before: Jun 21 22:55:36 2022 GMT
Not After : Jun 20 22:55:36 2025 GMT
Subject: C = US, ST = STATE, L = City, O = Company, CN = server4
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:server4, DNS:tserver4, IP Address:x.x.x.x, IP Address:x.x.x.x
X509v3 CRL Distribution Points:

            Full Name:

        X509v3 Key Usage:
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage:
            TLS Web Client Authentication, TLS Web Server Authentication


I started going through the x509v3 config docs and looking at each of your extensions:

X509v3 Subject Alternative Name:

Both DNS and IP are listed as valid

X509v3 CRL Distribution Points:

Looks like a valid URI to me

X509v3 Extended Key Usage:

These look like valid server and client auth values

These are Microsoft OIDs, which brought me back to Go issue crypto/x509: error parsing large ASN.1 identifiers · Issue #49678 · golang/go · GitHub I mentioned above, which appears fixed. You are running this on a 64-bit system?

I found it:

func (s *String) readBase128Int(out *int) bool {
ret := 0
for i := 0; len(*s) > 0; i++ {
if i == 5 {
return false
// Avoid overflowing int on a 32-bit platform.
// We don’t want different behavior based on the architecture.
if ret >= 1<<(31-7) {
return false

It’s set to 5