I’m using OpenVAS 23.11 in the Community Edition and regularly test my Debian 11 web server with an authenticated scan.
Two NVT timed out error messages are displayed during the scan:
‘Directory Scanner’ and ‘Generic HTTP Directory Traversal (Web Root) - Active Check’. But it doesn’t really say what to do about it. Does anyone have any idea what to do with the information?
It is also noticeable that only one TLS certificate is displayed, but there should be six certificates. The certificates come from Certbot (Let’s encrypt) and are actually all in the same (standard) directory. If one is found, all the others should be too.
I suggest you dump the certificate as check if this are just alternative names or different certificates each with a unique serial number. You should check your setup of your web-root as well.
If they were aliases, then there would only be one certificate, but I have six. With different expiration dates and, as I just checked, with different serial numbers.
Isn’t this covered by the openvas config option expand_vhosts=yes? How and where do I have to specify the hostnames then? In a file, as with multiple IP addresses or somewhere else? Not to end up scanning the same server six times.