diff options
Diffstat (limited to 'nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/README.md')
| -rw-r--r-- | nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/README.md | 167 |
1 files changed, 167 insertions, 0 deletions
diff --git a/nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/README.md b/nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/README.md new file mode 100644 index 0000000..a7bc7e2 --- /dev/null +++ b/nagios-plugins-contrib-24.20190301~bpo9+1/check_ssl_cert/check_ssl_cert-1.83.0/README.md @@ -0,0 +1,167 @@ + + (c) Matteo Corti, ETH Zurich, 2007-2012 + + (c) Matteo Corti, 2007-2019 + see AUTHORS for the complete list of contributors + +# check_ssl_cert + +A Nagios plugin to check an X.509 certificate: + - checks if the server is running and delivers a valid certificate + - checks if the CA matches a given pattern + - checks the validity + +## Usage + +``` + +Usage: check_ssl_cert -H host [OPTIONS] + +Arguments: + -H,--host host server + +Options: + -A,--noauth ignore authority warnings (expiration only) + --altnames matches the pattern specified in -n with alternate + names too + -C,--clientcert path use client certificate to authenticate + --clientpass phrase set passphrase for client certificate. + -c,--critical days minimum number of days a certificate has to be valid + to issue a critical status + --curl-bin path path of the curl binary to be used + -d,--debug produces debugging output + --ecdsa cipher selection: force ECDSA authentication + -e,--email address pattern to match the email address contained in the + certificate + -f,--file file local file path (works with -H localhost only) + with -f you can not only pass a x509 certificate file + but also a certificate revocation list (CRL) to check + the validity period + --file-bin path path of the file binary to be used + --fingerprint SHA1 pattern to match the SHA1-Fingerprint + --force-perl-date force the usage of Perl for date computations + --format FORMAT format output template on success, for example + "%SHORTNAME% OK %CN% from '%CA_ISSUER_MATCHED%'" + -h,--help,-? this help message + --ignore-exp ignore expiration date + --ignore-ocsp do not check revocation with OCSP + --ignore-sig-alg do not check if the certificate was signed with SHA1 + or MD5 + --ignore-ssl-labs-cache Forces a new check by SSL Labs (see -L) + -i,--issuer issuer pattern to match the issuer of the certificate + --issuer-cert-cache dir directory where to store issuer certificates cache + -L,--check-ssl-labs grade SSL Labs assessment + (please check https://www.ssllabs.com/about/terms.html) + --check-ssl-labs-warn-grade SSL-Labs grade on which to warn + --long-output list append the specified comma separated (no spaces) list + of attributes to the plugin output on additional lines + Valid attributes are: + enddate, startdate, subject, issuer, modulus, + serial, hash, email, ocsp_uri and fingerprint. + 'all' will include all the available attributes. + -n,--cn name pattern to match the CN of the certificate (can be + specified multiple times) + --no_ssl2 disable SSL version 2 + --no_ssl3 disable SSL version 3 + --no_tls1 disable TLS version 1 + --no_tls1_1 disable TLS version 1.1 + --no_tls1_2 disable TLS version 1.2 + -N,--host-cn match CN with the host name + -o,--org org pattern to match the organization of the certificate + --openssl path path of the openssl binary to be used + -p,--port port TCP port + -P,--protocol protocol use the specific protocol + {http|smtp|pop3|pop3s|imap|imaps|ftp|xmpp|irc|ldap} + http: default + smtp,pop3,imap,imaps,ftp,ldap: switch to TLS + -s,--selfsigned allows self-signed certificates + --serial serialnum pattern to match the serial number + --sni name sets the TLS SNI (Server Name Indication) extension + in the ClientHello message to 'name' + --ssl2 forces SSL version 2 + --ssl3 forces SSL version 3 + --require-ocsp-stapling require OCSP stapling + --require-san require the presence of a Subject Alternative Name + extension + -r,--rootcert path root certificate or directory to be used for + certificate validation + --rootcert-dir path root directory to be used for certificate validation + --rootcert-file path root certificate to be used for certificate validation + --rsa cipher selection: force RSA authentication + --temp dir directory where to store the temporary files + --terse terse output + -t,--timeout seconds timeout after the specified time + (defaults to 15 seconds) + --tls1 force TLS version 1 + --tls1_1 force TLS version 1.1 + --tls1_2 force TLS version 1.2 + --tls1_3 force TLS version 1.3 + -v,--verbose verbose output + -V,--version version + -w,--warning days minimum number of days a certificate has to be valid + to issue a warning status + --xmpphost name specifies the host for the 'to' attribute of the stream element + +Deprecated options: + --days days minimum number of days a certificate has to be valid + (see --critical and --warning) + --ocsp check revocation via OCSP + -S,--ssl version force SSL version (2,3) + (see: --ssl2 or --ssl3) +``` + +## Expect + +check_ssl_cert requires 'expect' to enable timeouts. If expect is not +present on your system timeouts will be disabled. + +See: http://en.wikipedia.org/wiki/Expect + +## Virtual servers + +check_ssl_client supports the servername TLS extension in ClientHello +if the installed openssl version provides it. This is needed if you +are checking a machine with virtual hosts. + +## SSL Labs + +If `-L` or `--check-ssl-labs` are specified the plugin will check the +cached status using the SSL Labs Assessment API (see +https://www.ssllabs.com/about/terms.html). + +The plugin will ask for a cached result (maximum age 1 day) to avoid +to many checks. The first time you issue the check you could therefore +get an outdated result. + +## Notes + +The root certificate corresponding to the checked certificate must be +available to openssl or specified with the `-r cabundle` or +`--rootcert cabundle` option, where cabundle is either a file for `-CAfile` +or a directory for `-CApath`. + +On macOS the root certificates bundle is stored in the Keychain and +openssl will complain with: + +``` +verification error: unable to get local issuer certificate +``` + +The bundle can be extracted with: + +``` +$ sudo security find-certificate -a \ + -p /System/Library/Keychains/SystemRootCertificates.keychain > cabundle.crt +``` + +and then submitted to `check_ssl_cert` with the `-r,--rootcert path` option + +``` + ./check_ssl_cert -H www.google.com -r ./cabundle.crt +``` + +## Bugs + +The timeout is applied to each action involving a download. + +Report bugs to https://github.com/matteocorti/check_ssl_cert/issues |