2
(c) Matteo Corti, ETH Zurich, 2007-2012
4
see AUTHORS for the complete list of contributors
8
A Nagios plugin to check an X.509 certificate:
9
- checks if the server is running and delivers a valid certificate
10
- checks if the CA matches a given pattern
16
check_ssl_cert -H host [OPTIONS]
22
-A,--noauth ignore authority warnings (expiration only)
23
-C,--clientcert path use client certificate to authenticate
24
--clientpass phrase set passphrase for client certificate.
25
-c,--critical days minimum number of days a certificate has to be valid
26
to issue a critical status
27
-e,--email address pattern to match the email address contained in the
29
-f,--file file local file path (works with -H localhost only)
30
-h,--help,-? this help message
31
-i,--issuer issuer pattern to match the issuer of the certificate
32
-n,---cn name pattern to match the CN of the certificate
33
-N,--host-cn match CN with the host name
34
-o,--org org pattern to match the organization of the certificate
35
--openssl path path of the openssl binary to be used
36
-p,--port port TCP port
37
-P,--protocol protocol use the specific protocol {http|smtp|pop3|imap|ftp}
39
smtp,pop3,imap,ftp: switch to TLS
40
-s,--selfsigned allows self-signed certificates
41
-r,--rootcert path root certificate or directory to be used for
43
-t,--timeout seconds timeout after the specified time
44
(defaults to 15 seconds)
45
--temp dir directory where to store the temporary files
46
-v,--verbose verbose output
48
-w,--warning days minimum number of days a certificate has to be valid
49
to issue a warning status
52
-d,--days days minimum number of days a certificate has to be valid
53
(see --critical and --warning)
58
check_ssl_cert requires 'expect' to enable timouts. If expect is not
59
present on your system timeouts will be disabled.
61
See: http://en.wikipedia.org/wiki/Expect
66
If perl and Date::Parse are available the plugin will also compute for
67
how many days the certificate will be valid and put the information in
68
the performance data. If perl or Date::Parse are not available the
69
information will not be available.
74
check_ssl_client supports the servername TLS extension in ClientHello
75
if the installed openssl version provides it. This is needed if you
76
are checking a machine with virtual hosts.
81
the root certificate corresponding to the checked certificate must be
82
available to openssl or specified with the '-r cabundle' or
83
'--rootcert cabundle' option, where cabundle is either a file for -CAfile
84
or a directory for -CApath.
86
On Mac OS X the root certificates bundle is stored in the Keychain and
87
openssl will complain with:
89
verification error: unable to get local issuer certificate
91
The bundle can be extracted with:
93
$ sudo security find-certificate -a \
94
-p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
99
Report bugs to: Matteo Corti <matteo.corti@id.ethz.ch>
101
# File version information:
102
# $Id: AUTHORS 1103 2009-12-07 07:49:19Z corti $
104
# $HeadURL: https://svn.id.ethz.ch/nagios_plugins/check_updates/AUTHORS $
105
# $Date: 2009-12-07 08:49:19 +0100 (Mon, 07 Dec 2009) $