NAME¶
check_ssl_cert - checks the validity of X.509 certificates
SYNOPSIS¶
check_ssl_cert -H host [OPTIONS]
DESCRIPTION¶
check_ssl_cert A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
ARGUMENTS¶
- -H,--host host
- server
OPTIONS¶
- -A,--noauth
- ignore authority warnings (expiration only)
- --altnames
- matches the pattern specified in -n with alternate names too
- -C,--clientcert path
- use client certificate to authenticate
- --clientpass phrase
- set passphrase for client certificate.
- -c,--critical days
- minimum number of days a certificate has to be valid to issue a critical
status
- --curl-bin path
- path of the curl binary to be used
- --curl-user-agent string
- user agent that curl shall use to obtain the issuer cert
- --custom-http-header string
- custom HTTP header sent when getting the cert
- --dane
- verifies there are valid TLSA records for the returned certificate,
requires OpenSSL 1.1.0 or later
- --dane 211
- verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists
- --dane 301
- verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists
- --dane 302
- verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record exists
- --dane 311
- verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists
- -d,--debug
- produces debugging output
- --dig-bin path
- path of the dig binary to be used
- --ecdsa
- signature algorithm selection: force ECDSA certificate
- --element number
- checks N cert element from the begining of the chain
- -e,--email address
- pattern to match the email address contained in the certificate
- -f,--file file
- local file path (works with -H localhost only) with -f you can not only
pass a x509 certificate file but also a certificate revocation list (CRL)
to check the validity period
- --file-bin path
- path of the file binary to be used
- --fingerprint SHA1
- pattern to match the SHA1-Fingerprint
- --force-perl-date
- force the usage of Perl for date computations
- --format FORMAT
- custom output format (e.g. "%SHORTNAME% OK %CN% from
'%CA_ISSUER_MATCHED%'")
- -h,--help,-?
- this help message
- --http-use-get
- use GET instead of HEAD (default) for the HTTP related checks
- --ignore-exp
- ignore expiration date
- --ignore-ocsp
- do not check revocation with OCSP
- --ignore-ocsp-timeout
- ignore OCSP result when timeout occurs while checking
- --ignore-sig-alg
- do not check if the certificate was signed with SHA1 or MD5
- --ignore-ssl-labs-cache
- Forces a new check by SSL Labs (see -L)
- --issuer-cert-cache dir
- directory where to store issuer certificates cache
- -i,--issuer issuer
- pattern to match the issuer of the certificate
- -K,--clientkey path
- use client certificate key to authenticate
- -L,--check-ssl-labs grade
- SSL Labs assestment (please check
https://www.ssllabs.com/about/terms.html). Critical if the grade is lower
than specified.
- --check-ssl-labs-warn grade
- SSL Labs grade on which to warn
- --long-output list
- append the specified comma separated (no spaces) list of attributes to the
plugin output on additional lines. Valid attributes are: enddate,
startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and
fingerprint. 'all' will include all the available attributes.
- -n,--cn name
- pattern to match the CN of the certificate (can be specified multiple
times)
- --no_ssl2
- disable SSL version 2
- --no_ssl3
- disable SSL version 3
- --no_tls1
- disable TLS version 1
- --no_tls1_1
- disable TLS version 1.1
- --no_tls1_3
- disable TLS version 1.3
- --no_tls1_2
- disable TLS version 1.2
- --not-issued-by issuer
- check that the issuer of the certificate does not match the given
pattern
- --not-valid-longer-than days
- critical if the certificate validity is longer than the specified
period
- -N,--host-cn
- match CN with the host name
- --ocsp-critical hours
- minimum number of hours an OCSP response has to be valid to issue a
critical status
- --ocsp-warning hours
- minimum number of hours an OCSP response has to be valid to issue a
warning status
- -o,--org org
- pattern to match the organization of the certificate
- --openssl path
- path of the openssl binary to be used
- -p,--port port
- TCP port
- -P,--protocol protocol
- use the specific protocol: ftp, ftps, http, https (default), h2 (http/2),
imap, imaps, irc, ircs, ldap, ldaps, mysql, pop3, pop3s, postgres, sieve,
smtp, smtps, xmpp, xmpp-server.
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, mysql,
pop3, smtp.
- --proxy proxy
- sets http_proxy
- --require-no-ssl2
- critical if SSL version 2 is offered
- --require-no-ssl3
- critical if SSL version 3 is offered
- --require-no-tls1
- critical if TLS 1 is offered
- --require-no-tls1_1
- critical if TLS 1.1 is offered
- -s,--selfsigned
- allows self-signed certificates
- --serial serialnum
- pattern to match the serial number
- --skip-element number
- skip checks on N cert element from the begining of the chain
- --sni name
- sets the TLS SNI (Server Name Indication) extension in the ClientHello
message to 'name'
- --ssl2
- force SSL version 2
- --ssl3
- force SSL version 3
- --require-ocsp-stapling
- require OCSP stapling
- --require-san
- require the presence of a Subject Alternative Name extension
- -r,--rootcert cert
- root certificate or directory to be used for certificate validation
(passed to openssl's -CAfile or -CApath)
- --rootcert-dir dir
- root directory to be used for certificate validation (passed to openssl's
-CApath) overrides option -r,--rootcert
- --rootcert-file cert
- root certificate to be used for certificate validation (passed to
openssl's -CAfile) overrides option -r,--rootcert
- --rsa
- signature algorithm selection: force RSA certificate
- --temp dir
- directory where to store the temporary files
- --terse
- terse output (also see --verbose)
- -t,--timeout
- seconds timeout after the specified time (defaults to 15 seconds)
- --tls1
- force TLS version 1
- --tls1_1
- force TLS version 1.1
- --tls1_2
- force TLS version 1.2
- --tls1_3
- force TLS version 1.3
- -v,--verbose
- verbose output (also see --terse)
- -V,--version
- version
- -w,--warning days
- minimum number of days a certificate has to be valid to issue a warning
status
- --xmpphost name
- specifies the host for the "to" attribute of the stream
element
- -4
- forces IPv4
- -6
- forces IPv6
DEPRECATED OPTIONS¶
- -d,--days days
- minimum number of days a certificate has to be valid (see --critical and
--warning)
- --ocsp
- check revocation via OCSP
- -S,--ssl version
- force SSL version (2,3) (see: --ssl2 or --ssl3)
MULTIPLE CERTIFICATES¶
If the host has multiple certificates and the installed openssl version supports
the -servername option it is possible to specify the TLS SNI (Server Name
Idetificator) with the -N (or --host-cn) option.
EXIT STATUS¶
check_ssl_cert returns a zero exist status if it finds no errors, 1 for
warnings, 2 for a critical errors and 3 for unknown problems
AUTHOR¶
Matteo Corti (matteo (at) corti.li ) See the AUTHORS file for the complete list
of contributors
