Skip to content

Latest commit

 

History

History
167 lines (138 loc) · 7.74 KB

README.md

File metadata and controls

167 lines (138 loc) · 7.74 KB

(c) Matteo Corti, ETH Zurich, 2007-2012

(c) Matteo Corti, 2007-2019 see AUTHORS for the complete list of contributors

check_ssl_cert

A Nagios plugin to check an X.509 certificate:

  • checks if the server is running and delivers a valid certificate
  • checks if the CA matches a given pattern
  • checks the validity

Usage


Usage: check_ssl_cert -H host [OPTIONS]

Arguments:
   -H,--host host                  server

Options:
   -A,--noauth                	   ignore authority warnings (expiration only)
      --altnames              	   matches the pattern specified in -n with alternate
                              	   names too
   -C,--clientcert path       	   use client certificate to authenticate
      --clientpass phrase     	   set passphrase for client certificate.
   -c,--critical days         	   minimum number of days a certificate has to be valid
                              	   to issue a critical status
      --curl-bin path         	   path of the curl binary to be used
   -d,--debug                 	   produces debugging output
      --ecdsa                 	   cipher selection: force ECDSA authentication
   -e,--email address         	   pattern to match the email address contained in the
                              	   certificate
   -f,--file file             	   local file path (works with -H localhost only)
                              	   with -f you can not only pass a x509 certificate file
                              	   but also a certificate revocation list (CRL) to check
                              	   the validity period
      --file-bin path         	   path of the file binary to be used
      --fingerprint SHA1      	   pattern to match the SHA1-Fingerprint
      --force-perl-date       	   force the usage of Perl for date computations
      --format FORMAT         	   format output template on success, for example
                              	   "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
   -h,--help,-?               	   this help message
      --ignore-exp            	   ignore expiration date
      --ignore-ocsp           	   do not check revocation with OCSP
      --ignore-sig-alg        	   do not check if the certificate was signed with SHA1
                              	   or MD5
      --ignore-ssl-labs-cache 	   Forces a new check by SSL Labs (see -L)
   -i,--issuer issuer         	   pattern to match the issuer of the certificate
      --issuer-cert-cache dir 	   directory where to store issuer certificates cache
   -L,--check-ssl-labs grade  	   SSL Labs assessment
                              	   (please check https://www.ssllabs.com/about/terms.html)
      --check-ssl-labs-warn-grade  SSL-Labs grade on which to warn
      --long-output list      	   append the specified comma separated (no spaces) list
                              	   of attributes to the plugin output on additional lines
                              	   Valid attributes are:
                              	     enddate, startdate, subject, issuer, modulus,
                              	     serial, hash, email, ocsp_uri and fingerprint.
                              	   'all' will include all the available attributes.
   -n,--cn name               	   pattern to match the CN of the certificate (can be
                              	   specified multiple times)
      --no_ssl2               	   disable SSL version 2
      --no_ssl3               	   disable SSL version 3
      --no_tls1               	   disable TLS version 1
      --no_tls1_1             	   disable TLS version 1.1
      --no_tls1_2             	   disable TLS version 1.2
   -N,--host-cn               	   match CN with the host name
   -o,--org org               	   pattern to match the organization of the certificate
      --openssl path          	   path of the openssl binary to be used
   -p,--port port             	   TCP port
   -P,--protocol protocol     	   use the specific protocol
                              	   {http|smtp|pop3|pop3s|imap|imaps|ftp|xmpp|irc|ldap}
                              	   http:                    default
                              	   smtp,pop3,imap,imaps,ftp,ldap: switch to TLS
   -s,--selfsigned            	   allows self-signed certificates
      --serial serialnum      	   pattern to match the serial number
      --sni name              	   sets the TLS SNI (Server Name Indication) extension
                              	   in the ClientHello message to 'name'
      --ssl2                  	   forces SSL version 2
      --ssl3                  	   forces SSL version 3
      --require-ocsp-stapling 	   require OCSP stapling
      --require-san           	   require the presence of a Subject Alternative Name
                              	   extension
   -r,--rootcert path         	   root certificate or directory to be used for
                              	   certificate validation
      --rootcert-dir path     	   root directory to be used for certificate validation
      --rootcert-file path    	   root certificate to be used for certificate validation
      --rsa                   	   cipher selection: force RSA authentication
      --temp dir              	   directory where to store the temporary files
      --terse                 	   terse output
   -t,--timeout               	   seconds timeout after the specified time
                              	   (defaults to 15 seconds)
      --tls1                  	   force TLS version 1
      --tls1_1                	   force TLS version 1.1
      --tls1_2                	   force TLS version 1.2
      --tls1_3                	   force TLS version 1.3
   -v,--verbose               	   verbose output
   -V,--version               	   version
   -w,--warning days          	   minimum number of days a certificate has to be valid
                              	   to issue a warning status
      --xmpphost name         	   specifies the host for the 'to' attribute of the stream element

Deprecated options:
      --days days                  minimum number of days a certificate has to be valid
                              	   (see --critical and --warning)
      --ocsp                  	   check revocation via OCSP
   -S,--ssl version           	   force SSL version (2,3)
                              	   (see: --ssl2 or --ssl3)

Expect

check_ssl_cert requires 'expect' to enable timeouts. If expect is not present on your system timeouts will be disabled.

See: http://en.wikipedia.org/wiki/Expect

Virtual servers

check_ssl_client supports the servername TLS extension in ClientHello if the installed openssl version provides it. This is needed if you are checking a machine with virtual hosts.

SSL Labs

If -L or --check-ssl-labs are specified the plugin will check the cached status using the SSL Labs Assessment API (see https://www.ssllabs.com/about/terms.html).

The plugin will ask for a cached result (maximum age 1 day) to avoid to many checks. The first time you issue the check you could therefore get an outdated result.

Notes

The root certificate corresponding to the checked certificate must be available to openssl or specified with the -r cabundle or --rootcert cabundle option, where cabundle is either a file for -CAfile or a directory for -CApath.

On macOS the root certificates bundle is stored in the Keychain and openssl will complain with:

verification error: unable to get local issuer certificate

The bundle can be extracted with:

$ sudo security find-certificate -a \
  -p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt

and then submitted to check_ssl_cert with the -r,--rootcert path option

 ./check_ssl_cert -H www.google.com -r ./cabundle.crt 

Bugs

The timeout is applied to each action involving a download.

Report bugs to https://github.com/matteocorti/check_ssl_cert/issues