lscert | Error fetching certificates chain: connectex: An attempt was made to access a socket in a way forbidden by its access permissions

[atc0005]

Someone gave this lscert binary a try on a Windows 10 systems:

• https://github.com/atc0005/check-cert/releases/download/v0.19.0/lscert-windows-amd64.exe.xz

They attempted to run:

$ ./lscert-windows-amd64 host1.example.com

from a Cygwin console. They then repeated the attempt from an elevated Command prompt.

Same error:

github.com/atc0005/check-cert/cmd/lscert/main.go:200 > Error fetching certificates chain error="error connecting to server (host: host1.example.com, IP: W.X.Y.Z): dial tcp W.X.Y.Z:443: connectex: An attempt was made to access a socket in a way forbidden by its access permissions." age_critical=15 age_warning=30 app_type=inspector cert_check_timeout=10s filename= logging_level=info port=443 server=host1.example.com version="check-cert v0.19.0 (https://github.com/atc0005/check-cert)"

I typed this manually and attempted to sanitize the host details, so I could have introduced a typo somewhere.

I'll try to replicate on a Windows 10 system under different access restrictions.

I should note that this was executed on the host environment and not within VMware Workstation (or similar local hypervisors).

[atc0005]

Everything I'm finding so far points to antivirus or other security software getting in the way. The consensus seems to be "check Windows firewall, then explicitly allow the app".

Samples:

• affected/package: net golang/go#56597
• net: test failure on Windows 8 golang/go#6392
• affected/package: net/http golang/go#56589
• https://github.com/K4rian/winsock2-go/blob/296f2798b6b51054ddc60ddad8b21bd95f1ea895/ws2/errors.go#L19
• https://github.com/0x9u/omeglegoapi/blob/3d503156422deddf79d056ee5778ee07a8ac78e7/Omegle/doc.go#L5
• https://github.com/L-codes/MX1014/blob/7b79b2e1d016470bbd6edee5d0123c9dfa47b7cb/mx1014/mx1014.go#L277
• https://github.com/greatfire/freebrowser/blob/5994642982e2b8247fc64a41a86fff75351a2f9d/pkg/request.go#L493
• https://github.com/StalkR/goircbot/blob/bf6b8b2d6ee67ff9188d9b78727e99fb563a7bb2/plugins/errors/winerrors.go#L2037
• https://github.com/insolar/assured-ledger/blob/05bc4931f7301e27ff411b799d5a1d7c731d721c/ledger-core/network/nds/uniproto/l2/uniserver/server_test_conflict.go#L38
• https://github.com/cloudfoundry/winc/blob/44d3519c8a6e19551b6db4cae4036f088cd50337/integration/winc-network/up_test.go#L217

[atc0005]

It's probably worth doing (at least) two things:

• expand the error/advice mapping used for Nagios plugins to specifically handle this scenario (WSAEACCES)
• add explicit handling for this in this project with a focus on lscert, certsum and cpcert since those are the most likely tools to be used from a Windows system

[atc0005]

Prompt provided to ChatGPT:

I received this error from a small application written in Go when run on a Windows 10 system:

"connectex: An attempt was made to access a socket in a way forbidden by its access permissions"

The error was emitted while attempting to open a connection to a remote server's TLS-enabled web server port to evaluate its certificate chain.

It's response matched the earlier results I found very closely.

It did provide some useful troubleshooting steps that we didn't try at the time:

• telnet example.com 443
• curl -v https://example.com

Both of those are expected to pass (since I still suspect Windows Defender).

Other tips:

• try from another network
• use Wireshark to capture the access attempt
• review GPO settings in Computer Configuration > Administrative Templates > Network to see if a setting is preventing socket operations

Other tips, which I don't think really apply:

• try running the app (lscert) as administrator
  • the app doesn't use administrator privileges
• check the application code
  • it works "fine" elsewhere, so not currently suspect