Scroll to navigation
NAME¶
check_ssl_cert - checks the validity of X.509 certificates
SYNOPSIS¶
check_ssl_cert -H host [OPTIONS]
DESCRIPTION¶
check_ssl_cert A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
ARGUMENTS¶
- -H,--host host
- server
OPTIONS¶
- -A,--noauth
- ignore authority warnings (expiration only)
- --altnames
- matches the pattern specified in -n with alternate names too
- -C,--clientcert path
- use client certificate to authenticate
- --clientpass phrase
- set passphrase for client certificate.
- -c,--critical days
- minimum number of days a certificate has to be valid to issue a critical
status
- -d,--debug
- produces debugging output
- --ecdsa
- cipher selection: force ECDSA authentication
- -e,--email address
- pattern to match the email address contained in the certificate
- -f,--file file
- local file path (works with -H localhost only)
- --file-bin path
- path of the file binary to be used"
- -h,--help,-?
- this help message
- --ignore-exp
- ignore expiration date
- --ignore-sig-alg
- do not check if the certificate was signed with SHA1 or MD5
- --ignore-ocsp
- do not check revocation with OCSP
- -i,--issuer issuer
- pattern to match the issuer of the certificate
- -L,--check-ssl-labs grade
- SSL Labs assestment (please check
https://www.ssllabs.com/about/terms.html)
- --ignore-ssl-labs-cache
- Forces a new check by SSL Labs (see -L)
- --long-output list
- append the specified comma separated (no spaces) list of attributes to the
plugin output on additional lines. Valid attributes are: enddate,
startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and
fingerprint. 'all' will include all the available attributes.
- -n,---cn name
- pattern to match the CN of the certificate (can be specified multiple
times)
- --no_ssl2
- disable SSL version 2
- --no_ssl3
- disable SSL version 3
- --no_tls1
- disable TLS version 1
- --no_tls1_1
- disable TLS version 1.1
- --no_tls1_2
- disable TLS version 1.2
- -N,--host-cn
- match CN with the host name
- -o,--org org
- pattern to match the organization of the certificate
- --openssl path
- path of the openssl binary to be used
- -p,--port port
- TCP port
- -P,--protocol protocol
- use the specific protocol: http (default), irc or smtp,pop3,imap,ftp
(switch to TLS)
- -s,--selfsigned
- allows self-signed certificates
- --serial serialnum
- pattern to match the serial number
- --ssl2
- force SSL version 2
- --ssl3
- force SSL version 3
- -r,--rootcert cert
- root certificate or directory to be used for certficate validation (passed
to openssl's -CAfile or -CApath)
- --rsa
- cipher selection: force RSA authentication
- -t,--timeout
- seconds timeout after the specified time (defaults to 15 seconds)
- --temp dir
- directory where to store the temporary files
- --tls1
- force TLS version 1
- -v,--verbose
- verbose output
- -V,--version
- version
- -w,--warning days
- minimum number of days a certificate has to be valid to issue a warning
status
DEPRECATED OPTIONS¶
- -d,--days days
- minimum number of days a certificate has to be valid (see --critical and
--warning)
- --ocsp
- check revocation via OCSP
- -S,--ssl version
- force SSL version (2,3) (see: --ss2 or --ssl3)
MULTIPLE CERTIFICATES¶
If the host has multiple certificates and the installed openssl version supports
the -servername option it is possible to specify the TLS SNI (Server Name
Idetificator) with the -N (or --host-cn) option.
EXIT STATUS¶
check_ssl_cert returns a zero exist status if it finds no errors, 1 for
warnings, 2 for a critical errors and 3 for unknown problems
BUGS¶
Please report bugs to: Matteo Corti (matteo (at) corti.li )
AUTHOR¶
Matteo Corti (matteo (at) corti.li ) See the AUTHORS file for the complete list
of contributors
