(c) Matteo Corti, ETH Zurich, 2007-2012
see AUTHORS for the complete list of contributors
check_ssl_cert
A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
Usage:
======
check_ssl_cert -H host [OPTIONS]
Arguments:
-H,--host host server
Options:
-A,--noauth ignore authority warnings (expiration only)
-C,--clientcert path use client certificate to authenticate
--clientpass phrase set passphrase for client certificate.
-c,--critical days minimum number of days a certificate has to be valid
to issue a critical status
-e,--email address pattern to match the email address contained in the
certificate
-f,--file file local file path (works with -H localhost only)
-h,--help,-? this help message
-i,--issuer issuer pattern to match the issuer of the certificate
-n,---cn name pattern to match the CN of the certificate
-N,--host-cn match CN with the host name
--ocsp check revocation via OCSP
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol {http|smtp|pop3|imap|ftp}
http: default
smtp,pop3,imap,ftp: switch to TLS
-s,--selfsigned allows self-signed certificates
-r,--rootcert path root certificate or directory to be used for
certficate validation
-t,--timeout seconds timeout after the specified time
(defaults to 15 seconds)
--temp dir directory where to store the temporary files
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
to issue a warning status
Deprecated options:
-d,--days days minimum number of days a certificate has to be valid
(see --critical and --warning)
Expect:
=======
check_ssl_cert requires 'expect' to enable timouts. If expect is not
present on your system timeouts will be disabled.
See: http://en.wikipedia.org/wiki/Expect
Perl and Date::Parse:
=====================
If perl and Date::Parse are available the plugin will also compute for
how many days the certificate will be valid and put the information in
the performance data. If perl or Date::Parse are not available the
information will not be available.
Virtual servers:
================
check_ssl_client supports the servername TLS extension in ClientHello
if the installed openssl version provides it. This is needed if you
are checking a machine with virtual hosts.
Notes:
======
the root certificate corresponding to the checked certificate must be
available to openssl or specified with the '-r cabundle' or
'--rootcert cabundle' option, where cabundle is either a file for -CAfile
or a directory for -CApath.
On Mac OS X the root certificates bundle is stored in the Keychain and
openssl will complain with:
verification error: unable to get local issuer certificate
The bundle can be extracted with:
$ sudo security find-certificate -a \
-p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
Bugs:
=====
Report bugs to: Matteo Corti <matteo@corti.li>
# File version information:
# $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
# $Revision: 1103 $
# $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_updates/AUTHORS $
# $Date: 2009-12-07 08:49:19 +0100 (Mon, 07 Dec 2009) $
Jérémy Lecour
fe0e5804a3