NAME

check_ssl_cert - checks the validity of X.509 certificates

SYNOPSIS

check_ssl_cert -H host [OPTIONS]

DESCRIPTION

check_ssl_cert A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity

ARGUMENTS

-H,--host host

server

OPTIONS

-A,--noauth

ignore authority warnings (expiration only)

--altnames

matches the pattern specified in -n with alternate names too

-C,--clientcert path

use client certificate to authenticate

--clientpass phrase

set passphrase for client certificate.

-c,--critical days

minimum number of days a certificate has to be valid to issue a critical status

--curl-bin path

path of the curl binary to be used"

-d,--debug

produces debugging output

--ecdsa

cipher selection: force ECDSA authentication

-e,--email address

pattern to match the email address contained in the certificate

-f,--file file

local file path (works with -H localhost only) with -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period

--file-bin path

path of the file binary to be used

--fingerprint SHA1

pattern to match the SHA1-Fingerprint

--force-perl-date

force the usage of Perl for date computations

--format FORMAT

custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")

-h,--help,-?

this help message

--ignore-exp

ignore expiration date

--ignore-ocsp

do not check revocation with OCSP

--ignore-sig-alg

do not check if the certificate was signed with SHA1 or MD5

--ignore-ssl-labs-cache

Forces a new check by SSL Labs (see -L)

--issuer-cert-cache dir

directory where to store issuer certificates cache

-i,--issuer issuer

pattern to match the issuer of the certificate

-K,--clientkey path

use client certificate key to authenticate

-L,--check-ssl-labs grade

SSL Labs assestment (please check https://www.ssllabs.com/about/terms.html)

--check-ssl-warn-labs grade

SSL Labs grade on which to warn

--long-output list

append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines. Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes.

-n,--cn name

pattern to match the CN of the certificate (can be specified multiple times)

--no_ssl2

disable SSL version 2

--no_ssl3

disable SSL version 3

--no_tls1

disable TLS version 1

--no_tls1_1

disable TLS version 1.1

--no_tls1_2

disable TLS version 1.2

-N,--host-cn

match CN with the host name

-o,--org org

pattern to match the organization of the certificate

--openssl path

path of the openssl binary to be used

-p,--port port

TCP port

-P,--protocol protocol

use the specific protocol: http (default), irc or smtp,pop3,imap,ftp,ldap (switch to TLS)

-s,--selfsigned

allows self-signed certificates

--serial serialnum

pattern to match the serial number

--sni name

sets the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'

--ssl2

force SSL version 2

--ssl3

force SSL version 3

--require-ocsp-stapling

require OCSP stapling

--require-san

require the presence of a Subject Alternative Name extension

-r,--rootcert cert

root certificate or directory to be used for certificate validation (passed to openssl's -CAfile or -CApath)

--rootcert-dir dir

root directory to be used for certificate validation (passed to openssl's -CApath) overrides option -r,--rootcert

--rootcert-file cert

root certificate to be used for certificate validation (passed to openssl's -CAfile) overrides option -r,--rootcert

--rsa

cipher selection: force RSA authentication

--temp dir

directory where to store the temporary files

--terse

terse output (also see --verbose)

-t,--timeout

seconds timeout after the specified time (defaults to 15 seconds)

--tls1

force TLS version 1

--tls1_1

force TLS version 1.1

--tls1_2

force TLS version 1.2

--tls1_3

force TLS version 1.3

-v,--verbose

verbose output (also see --terse)

-V,--version

version

-w,--warning days

minimum number of days a certificate has to be valid to issue a warning status

--xmpphost name

specifies the host for the "to" attribute of the stream element

DEPRECATED OPTIONS

-d,--days days

minimum number of days a certificate has to be valid (see --critical and --warning)

--ocsp

check revocation via OCSP

-S,--ssl version

force SSL version (2,3) (see: --ssl2 or --ssl3)

MULTIPLE CERTIFICATES

If the host has multiple certificates and the installed openssl version supports the -servername option it is possible to specify the TLS SNI (Server Name Idetificator) with the -N (or --host-cn) option.

SEE ALSO

x509(1), openssl(1), expect(1), timeout(1)

EXIT STATUS

check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a critical errors and 3 for unknown problems

BUGS

Please report bugs to:

https://github.com/matteocorti/check_ssl_cert/issues

AUTHOR

Matteo Corti (matteo (at) corti.li ) See the AUTHORS file for the complete list of contributors