(c) Matteo Corti, ETH Zurich, 2007-2012
(c) Matteo Corti, 2007-2016
see AUTHORS for the complete list of contributors
check_ssl_cert
A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
Usage:
======
check_ssl_cert -H host [OPTIONS]
Arguments:
-H,--host host server
Options:
-A,--noauth ignore authority warnings (expiration only)
--altnames matches the pattern specified in -n with alternate
names too
-C,--clientcert path use client certificate to authenticate
--clientpass phrase set passphrase for client certificate.
-c,--critical days minimum number of days a certificate has to be valid
to issue a critical status
-e,--email address pattern to match the email address contained in the
certificate
-f,--file file local file path (works with -H localhost only)
-h,--help,-? this help message
--long-output list append the specified comma separated (no spaces) list
of attributes to the plugin output on additional lines.
Valid attributes are:
enddate, startdate, subject, issuer, modulus, serial,
hash, email, ocsp_uri and fingerprint.
'all' will include all the available attributes.
-i,--issuer issuer pattern to match the issuer of the certificate
-L,--check-ssl-labs grade SSL Labs assestment
(please check https://www.ssllabs.com/about/terms.html)
-n,--cn name pattern to match the CN of the certificate
-N,--host-cn match CN with the host name
--ocsp check revocation via OCSP
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol {http|smtp|pop3|imap|ftp|xmpp}
http: default
smtp,pop3,imap,ftp: switch to TLS
-s,--selfsigned allows self-signed certificates
--serial serialnum pattern to match the serial number
-S,--ssl version force SSL version (2,3)
-r,--rootcert path root certificate or directory to be used for
certificate validation
-t,--timeout seconds timeout after the specified time
(defaults to 15 seconds)
--temp dir directory where to store the temporary files
--tls1 force TLS version 1
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
to issue a warning status
Expect:
=======
check_ssl_cert requires 'expect' to enable timouts. If expect is not
present on your system timeouts will be disabled.
See: http://en.wikipedia.org/wiki/Expect
Perl and Date::Parse:
=====================
If perl and Date::Parse are available the plugin will also compute for
how many days the certificate will be valid and put the information in
the performance data. If perl or Date::Parse are not available the
information will not be available.
Virtual servers:
================
check_ssl_client supports the servername TLS extension in ClientHello
if the installed openssl version provides it. This is needed if you
are checking a machine with virtual hosts.
SSL Labs:
=========
If -L or --check-ssl-labs are specified the plugin will check the
cached status using the SSL Labs Assessment API (see
https://www.ssllabs.com/about/terms.html).
The plugin will ask for a cached result (maximum age 1 day) to avoid
to many checks. The first time you issue the check you could therefore
get an outdated result.
Notes:
======
the root certificate corresponding to the checked certificate must be
available to openssl or specified with the '-r cabundle' or
'--rootcert cabundle' option, where cabundle is either a file for -CAfile
or a directory for -CApath.
On Mac OS X the root certificates bundle is stored in the Keychain and
openssl will complain with:
verification error: unable to get local issuer certificate
The bundle can be extracted with:
$ sudo security find-certificate -a \
-p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
Bugs:
=====
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues