Skip to content
Commits on Source (3)
Expand all Show whitespace changes
Inline Side-by-side
check_ssl_cert/check_ssl_cert-1.85.0/README.md deleted 100644 → 0
View file @ 7bbdc8c3
(c) Matteo Corti, ETH Zurich, 2007-2012
(c) Matteo Corti, 2007-2019
see AUTHORS for the complete list of contributors
# check_ssl_cert
A Nagios plugin to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
## Usage
```
Usage: check_ssl_cert -H host [OPTIONS]
Arguments:
-H,--host host server
Options:
-A,--noauth ignore authority warnings (expiration only)
--altnames matches the pattern specified in -n with alternate
names too
-C,--clientcert path use client certificate to authenticate
--clientpass phrase set passphrase for client certificate.
-c,--critical days minimum number of days a certificate has to be valid
to issue a critical status
--curl-bin path path of the curl binary to be used
--curl-user-agent string user agent that curl shall use to obtain the issuer cert
-d,--debug produces debugging output
--ecdsa cipher selection: force ECDSA authentication
-e,--email address pattern to match the email address contained in the
certificate
-f,--file file local file path (works with -H localhost only)
with -f you can not only pass a x509 certificate file
but also a certificate revocation list (CRL) to check
the validity period
--file-bin path path of the file binary to be used
--fingerprint SHA1 pattern to match the SHA1-Fingerprint
--force-perl-date force the usage of Perl for date computations
--format FORMAT format output template on success, for example
"%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
-h,--help,-? this help message
--ignore-exp ignore expiration date
--ignore-ocsp do not check revocation with OCSP
--ignore-sig-alg do not check if the certificate was signed with SHA1
or MD5
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
-i,--issuer issuer pattern to match the issuer of the certificate
--issuer-cert-cache dir directory where to store issuer certificates cache
-L,--check-ssl-labs grade SSL Labs assessment
(please check https://www.ssllabs.com/about/terms.html)
--check-ssl-labs-warn-grade SSL-Labs grade on which to warn
--long-output list append the specified comma separated (no spaces) list
of attributes to the plugin output on additional lines
Valid attributes are:
enddate, startdate, subject, issuer, modulus,
serial, hash, email, ocsp_uri and fingerprint.
'all' will include all the available attributes.
-n,--cn name pattern to match the CN of the certificate (can be
specified multiple times)
--no_ssl2 disable SSL version 2
--no_ssl3 disable SSL version 3
--no_tls1 disable TLS version 1
--no_tls1_1 disable TLS version 1.1
--no_tls1_2 disable TLS version 1.2
-N,--host-cn match CN with the host name
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{http|smtp|pop3|pop3s|imap|imaps|ftp|xmpp|irc|ldap}
http: default
smtp,pop3,imap,imaps,ftp,ldap: switch to TLS
-s,--selfsigned allows self-signed certificates
--serial serialnum pattern to match the serial number
--sni name sets the TLS SNI (Server Name Indication) extension
in the ClientHello message to 'name'
--ssl2 forces SSL version 2
--ssl3 forces SSL version 3
--require-ocsp-stapling require OCSP stapling
--require-san require the presence of a Subject Alternative Name
extension
-r,--rootcert path root certificate or directory to be used for
certificate validation
--rootcert-dir path root directory to be used for certificate validation
--rootcert-file path root certificate to be used for certificate validation
--rsa cipher selection: force RSA authentication
--temp dir directory where to store the temporary files
--terse terse output
-t,--timeout seconds timeout after the specified time
(defaults to 15 seconds)
--tls1 force TLS version 1
--tls1_1 force TLS version 1.1
--tls1_2 force TLS version 1.2
--tls1_3 force TLS version 1.3
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
to issue a warning status
--xmpphost name specifies the host for the 'to' attribute of the stream element
Deprecated options:
--days days minimum number of days a certificate has to be valid
(see --critical and --warning)
--ocsp check revocation via OCSP
-S,--ssl version force SSL version (2,3)
(see: --ssl2 or --ssl3)
```
## Expect
check_ssl_cert requires 'expect' to enable timeouts. If expect is not
present on your system timeouts will be disabled.
See: http://en.wikipedia.org/wiki/Expect
## Virtual servers
check_ssl_cert supports the servername TLS extension in ClientHello
if the installed openssl version provides it. This is needed if you
are checking a machine with virtual hosts.
## SSL Labs
If `-L` or `--check-ssl-labs` are specified the plugin will check the
cached status using the SSL Labs Assessment API (see
https://www.ssllabs.com/about/terms.html).
The plugin will ask for a cached result (maximum age 1 day) to avoid
to many checks. The first time you issue the check you could therefore
get an outdated result.
## Notes
The root certificate corresponding to the checked certificate must be
available to openssl or specified with the `-r cabundle` or
`--rootcert cabundle` option, where cabundle is either a file for `-CAfile`
or a directory for `-CApath`.
On macOS the root certificates bundle is stored in the Keychain and
openssl will complain with:
```
verification error: unable to get local issuer certificate
```
The bundle can be extracted with:
```
$ sudo security find-certificate -a \
-p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
```
and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
```
./check_ssl_cert -H www.google.com -r ./cabundle.crt
```
## Bugs
The timeout is applied to each action involving a download.
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
check_ssl_cert/check_ssl_cert-1.85.0/AUTHORS check_ssl_cert/check_ssl_cert_1.96.0/AUTHORS
View file @ ad53eecf
......@@ -72,13 +72,20 @@ Thanks:
* Many thanks to eeertel (https://github.com/eeertel) for the SNI warning patch
* Many thanks to Vojtech Horky (https://github.com/vhotspur) for the --format patch
* Many thanks to Markus Frosch (https://github.com/lazyfrosch) for the cleanup patch
* Many thanks to Ricardo Bartels (https://github.com/bb-Ricardo) for the patches fixing unit tests, long output on Linux, extending the issuer checks to the whole chain
* Many thanks to Ricardo Bartels (https://github.com/bb-Ricardo) for the patches fixing unit tests,
long output on Linux, extending the issuer checks to the whole chain
* Many thanks to eimamagi (https://github.com/eimamagi) for the client key patch and for the CA file and directory support
* Many thanks to Stefan Schlesinger for the HTTP_REQUEST patch
* Many thanks to sokol-44 (https://github.com/sokol-44) for the HTTP request fix
* Many thanks to Jonas Meurer (https://github.com/mejo-) for the IMAP / IMAPS fix
* Many thanks to Mathieu Simon (https://github.com/matsimon) for the IMAPS and POP3S patch
* Many thanks to Mathieu Simon (https://github.com/matsimon) for the IMAPS, POP3S and LDAP patches
* Many thanks to Nico (https://github.com/nicox) for the SSLlabs patch
* Many thanks to barakAtSoluto (https://github.com/barakAtSoluto) for the SSLlabs warning patch
* Many thanks to Valentin Heidelberger (https://github.com/va1entin) for the cURL user agent patch
* Many thanks to Tone (https://github.com/anthonyhaussman) for the warning message improvement patch
* Many thanks to Michael Niewiara (https://github.com/mobitux) for the HTTPS/echo fix
* Many thanks to Zadkiel (https://github.com/aslafy-z) for the extended regex patch
* Many thanks to Dick Visser (https://github.com/dnmvisser) for the --inetproto patch
* Many thanks to jmuecke (https://github.com/jmuecke) for the multiple errors patch
* Many thanks to iasdeoupxe (https://github.com/iasdeoupxe) for various fixes
* Many thanks to Andre Klärner (https://github.com/klaernie) for the typos corrections
check_ssl_cert/check_ssl_cert-1.85.0/ChangeLog check_ssl_cert/check_ssl_cert_1.96.0/ChangeLog
View file @ ad53eecf
2019-06-02 Matteo Corti <corti@macmini.home>
2019-09-24 Matteo Corti <matteo@corti.li>
* check_ssl_cert (critical): Return the filename when using --file by warnings
* check_ssl_cert: Fixed a bug in the processing of the SSL Labs options
* check_ssl_cert: Fixed a bug with POP3S
2019-09-24 Matteo Corti <matteo@corti.li>
* check_ssl_cert: OCSP check does not trigger an additional s_client call
2019-09-19 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Fixed a problem in the critical output
2019-09-18 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Consolidated the error messages in case of more than one error
* check_ssl_cert: Fixed a bug where the cypher was not forced by the OCSP checks
2019-08-09 Matteo Corti <matteo@corti.li>
* check_ssl_cert (ascii_grep): Removed NULL characters before 'grepping' a file
* check_ssl_cert (critical): Display the CN in a crical or warning message (if present)
* check_ssl_cert: merged patch to choose the IP protocol version
2019-08-08 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Applied patch to support LDAPS
* check_ssl_cert.1: Formatting and ordering
2019-07-26 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Try to detect if LDAP is not supported
2019-06-02 Matteo Corti <matteo@corti.li>
* check_ssl_cert: Return the filename when using --file by warnings
2019-03-28 Matteo Corti <matteo@corti.li>
......
check_ssl_cert/check_ssl_cert-1.85.0/Makefile check_ssl_cert/check_ssl_cert_1.96.0/Makefile
View file @ ad53eecf
......@@ -37,6 +37,9 @@ distclean: clean
test: dist
( export SHUNIT2="$$(pwd)/shunit2/shunit2" && cd test && ./unit_tests.sh )
shellcheck:
if shellcheck --help 2>&1 | grep -q -- '-o\ ' ; then shellcheck -o all check_ssl_cert test/unit_tests.sh ; else shellcheck check_ssl_cert test/unit_tests.sh ; fi
copyright_check:
grep -q "(c) Matteo Corti, 2007-$(YEAR)" README.md
grep -q "Copyright (c) 2007-$(YEAR) Matteo Corti" COPYRIGHT
......
check_ssl_cert/check_ssl_cert-1.85.0/NEWS check_ssl_cert/check_ssl_cert_1.96.0/NEWS
View file @ ad53eecf
2019-09-25 Version 1.96.0: Bug fixes
2019-09-24 Version 1.95.0: Bug fixes
2019-09-24 Version 1.94.0: Several bugs fixed
2019-09-24 Version 1.93.0: Fixed a bug in the processing of the SSL Labs options
2019-09-24 Version 1.92.0: Bug fix in the OCSP check
2019-09-23 Version 1.91.0: Various minor improvements and fixes
2019-09-19 Version 1.90.0: Bug fix, did not always print all the detected errors
2019-08-22 Version 1.89.0: Prints all the errors
2019-08-09 Version 1.88.0: Add an option to force IPv4 or IPv6
2019-08-08 Version 1.87.0: LDAPS support
2019-07-21 Version 1.86.0: Fixed a bug and enabled extended regex search
2019-06-02 Version 1.85.0: Improved the warnings when using the --file option
2019-03-28 Version 1.84.0: Added an option to specify the cURL user agent
2019-03-01 Version 1.83.0: Spelling corrections
......
check_ssl_cert/check_ssl_cert_1.96.0/README.md 0 → 100644
View file @ ad53eecf
(c) Matteo Corti, ETH Zurich, 2007-2012
(c) Matteo Corti, 2007-2019
see AUTHORS for the complete list of contributors
# check_ssl_cert
A shell script (that can be used as a Nagios plugin) to check an X.509 certificate:
- checks if the server is running and delivers a valid certificate
- checks if the CA matches a given pattern
- checks the validity
## Usage
```
Usage: check_ssl_cert -H host [OPTIONS]
Arguments:
-H,--host host server
Options:
-A,--noauth ignore authority warnings (expiration only)
--altnames matches the pattern specified in -n with
alternate names too
-C,--clientcert path use client certificate to authenticate
--clientpass phrase set passphrase for client certificate.
-c,--critical days minimum number of days a certificate has to
be valid to issue a critical status
--curl-bin path path of the curl binary to be used
--curl-user-agent string user agent that curl shall use to obtain the
issuer cert
-d,--debug produces debugging output
--ecdsa cipher selection: force ECDSA authentication
-e,--email address pattern to match the email address contained
in the certificate
-f,--file file local file path (works with -H localhost only)
with -f you can not only pass a x509
certificate file but also a certificate
revocation list (CRL) to check the validity
period
--file-bin path path of the file binary to be used
--fingerprint SHA1 pattern to match the SHA1-Fingerprint
--force-perl-date force the usage of Perl for date computations
--format FORMAT format output template on success, for example
"%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'"
-h,--help,-? this help message
--http-use-get use GET instead of HEAD (default) for the HTTP
related checks
--ignore-exp ignore expiration date
--ignore-ocsp do not check revocation with OCSP
--ignore-sig-alg do not check if the certificate was signed with SHA1
or MD5
--ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L)
--inetproto protocol Force IP version 4 or 6
-i,--issuer issuer pattern to match the issuer of the certificate
--issuer-cert-cache dir directory where to store issuer certificates cache
-K,--clientkey path use client certificate key to authenticate
-L,--check-ssl-labs grade SSL Labs assessment
(please check https://www.ssllabs.com/about/terms.html)
--check-ssl-labs-warn-grade SSL-Labs grade on which to warn
--long-output list append the specified comma separated (no spaces) list
of attributes to the plugin output on additional lines
Valid attributes are:
enddate, startdate, subject, issuer, modulus,
serial, hash, email, ocsp_uri and fingerprint.
'all' will include all the available attributes.
-n,--cn name pattern to match the CN of the certificate (can be
specified multiple times)
--no_ssl2 disable SSL version 2
--no_ssl3 disable SSL version 3
--no_tls1 disable TLS version 1
--no_tls1_1 disable TLS version 1.1
--no_tls1_2 disable TLS version 1.2
-N,--host-cn match CN with the host name
-o,--org org pattern to match the organization of the certificate
--openssl path path of the openssl binary to be used
-p,--port port TCP port
-P,--protocol protocol use the specific protocol
{ftp|ftps|http|imap|imaps|irc|ldap|ldaps|pop3|pop3s|smtp|smtps|xmpp}
http: default
ftp,imap,ldap,pop3,smtp: switch to TLS using StartTLS
-s,--selfsigned allows self-signed certificates
--serial serialnum pattern to match the serial number
--sni name sets the TLS SNI (Server Name Indication) extension
in the ClientHello message to 'name'
--ssl2 forces SSL version 2
--ssl3 forces SSL version 3
--require-ocsp-stapling require OCSP stapling
--require-san require the presence of a Subject Alternative Name
extension
-r,--rootcert path root certificate or directory to be used for
certificate validation
--rootcert-dir path root directory to be used for certificate validation
--rootcert-file path root certificate to be used for certificate validation
--rsa cipher selection: force RSA authentication
--temp dir directory where to store the temporary files
--terse terse output
-t,--timeout seconds timeout after the specified time
(defaults to 15 seconds)
--tls1 force TLS version 1
--tls1_1 force TLS version 1.1
--tls1_2 force TLS version 1.2
--tls1_3 force TLS version 1.3
-v,--verbose verbose output
-V,--version version
-w,--warning days minimum number of days a certificate has to be valid
to issue a warning status
--xmpphost name specifies the host for the 'to' attribute of the stream element
-4 force IPv4
-6 force IPv6
Deprecated options:
--days days minimum number of days a certificate has to be valid
(see --critical and --warning)
--ocsp check revocation via OCSP
-S,--ssl version force SSL version (2,3)
(see: --ssl2 or --ssl3)
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
```
## Expect
check_ssl_cert requires 'expect' to enable timeouts. If expect is not
present on your system timeouts will be disabled.
See: http://en.wikipedia.org/wiki/Expect
## Virtual servers
check_ssl_cert supports the servername TLS extension in ClientHello
if the installed openssl version provides it. This is needed if you
are checking a machine with virtual hosts.
## SSL Labs
If `-L` or `--check-ssl-labs` are specified the plugin will check the
cached status using the SSL Labs Assessment API (see
https://www.ssllabs.com/about/terms.html).
The plugin will ask for a cached result (maximum age 1 day) to avoid
to many checks. The first time you issue the check you could therefore
get an outdated result.
## Notes
The root certificate corresponding to the checked certificate must be
available to openssl or specified with the `-r cabundle` or
`--rootcert cabundle` option, where cabundle is either a file for `-CAfile`
or a directory for `-CApath`.
On macOS the root certificates bundle is stored in the Keychain and
openssl will complain with:
```
verification error: unable to get local issuer certificate
```
The bundle can be extracted with:
```
$ sudo security find-certificate -a \
-p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt
```
and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option
```
./check_ssl_cert -H www.google.com -r ./cabundle.crt
```
## Bugs
The timeout is applied to each action involving a download.
Report bugs to https://github.com/matteocorti/check_ssl_cert/issues
check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert.1 check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.1
View file @ ad53eecf
.\" Process this file with
.\" groff -man -Tascii foo.1
.\" groff -man -Tascii check_ssl_cert.1
.\"
.TH "check_ssl_cert" 1 "June, 2019" "1.85.0" "USER COMMANDS"
.TH "check_ssl_cert" 1 "September, 2019" "1.96.0" "USER COMMANDS"
.SH NAME
check_ssl_cert \- checks the validity of X.509 certificates
.SH SYNOPSIS
......@@ -66,6 +66,9 @@ custom output format (e.g. "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'")
.BR "-h,--help,-?"
this help message
.TP
.BR " --http-use-get"
use GET instead of HEAD (default) for the HTTP related checks
.TP
.BR " --ignore-exp"
ignore expiration date
.TP
......@@ -128,7 +131,9 @@ path of the openssl binary to be used
TCP port
.TP
.BR "-P,--protocol" " protocol"
use the specific protocol: http (default), irc or smtp,pop3,imap,ftp,ldap (switch to TLS)
use the specific protocol: ftp, ftps, http (default), imap, imaps, irc, ldap, ldaps, pop3, pop3s, smtp, smtps, xmpp.
.br
These protocols switch to TLS using StartTLS: ftp, imap, ldap, pop3, smtp.
.TP
.BR "-s,--selfsigned"
allows self-signed certificates
......@@ -197,6 +202,12 @@ minimum number of days a certificate has to be valid to issue a warning status
.TP
.BR " --xmpphost" " name"
specifies the host for the "to" attribute of the stream element
.TP
.BR "-4"
forces IPv4
.TP
.BR "-6"
forces IPv6
.SH DEPRECATED OPTIONS
.TP
.BR "-d,--days" " days"
......
check_ssl_cert/check_ssl_cert-1.85.0/check_ssl_cert.spec check_ssl_cert/check_ssl_cert_1.96.0/check_ssl_cert.spec
View file @ ad53eecf
%define version 1.85.0
%define version 1.96.0
%define release 0
%define sourcename check_ssl_cert
%define packagename nagios-plugins-check_ssl_cert
......@@ -45,6 +45,39 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/%{sourcename}.1*
%changelog
* Wed Sep 25 2019 Matteo Corti <matteo@corti.li> - 1.96.0-0
- Updated to 1.96.0
* Tue Sep 24 2019 Matteo Corti <matteo@corti.li> - 1.95.0-0
- Updated to 1.95.0
* Tue Sep 24 2019 Matteo Corti <matteo@corti.li> - 1.94.0-0
- Updated to 1.94.0
* Tue Sep 24 2019 Matteo Corti <matteo@corti.li> - 1.93.0-0
- Updated to 1.93.0
* Tue Sep 24 2019 Matteo Corti <matteo@corti.li> - 1.92.0-0
- Updated to 1.92.0
* Tue Sep 24 2019 Matteo Corti <matteo@corti.li> - 1.91.0-0
- Updated to 1.91.0
* Thu Sep 19 2019 Matteo Corti <matteo@corti.li> - 1.90.0-0
- Updated to 1.90.0
* Thu Aug 22 2019 Matteo Corti <matteo@corti.li> - 1.89.0-0
- Updated to 1.89.0
* Thu Aug 9 2019 Matteo Corti <matteo@corti.li> - 1.88.0-0
- Updated to 1.88.0
* Thu Aug 8 2019 Matteo Corti <matteo@corti.li> - 1.87.0-0
- Updated to 1.87.0
* Sun Jul 21 2019 Matteo Corti <matteo@corti.li> - 1.86.0-0
- Updated to 1.86.0
* Sun Jun 2 2019 Matteo Corti <matteo@corti.li> - 1.85.0-0
- Updated to 1.85.0
......