1check_ssl_cert(1)                USER COMMANDS               check_ssl_cert(1)
2
3
4

NAME

6       check_ssl_cert - checks the validity of X.509 certificates
7

SYNOPSIS

9       check_ssl_cert -H host [OPTIONS]
10       check_ssl_cert -f file [OPTIONS]
11

DESCRIPTION

13       check_ssl_cert  A  shell  script  (that  can be used as a Nagios/Icinga
14       plugin) to check an SSL/TLS connection
15

ARGUMENTS

17       -f,--file file
18              Local file path or URI. With -f you can not  only  pass  a  x509
19              certificate file but also a certificate revocation list (CRL) to
20              check the validity period or a Java KeyStore file
21
22       -H,--host host
23              server
24

OPTIONS

26       -A,--noauth
27              Ignore authority warnings (expiration only)
28
29           --all
30              Enable all the possible optional checks at the maximum level
31
32           --all-local
33              Enable all the possible optional checks  at  the  maximum  level
34              (without SSL-Labs)
35
36           --allow-empty-san
37              Allow certificates without Subject Alternative Names (SANs)
38
39       -C,--clientcert path
40              Use client certificate to authenticate
41
42       -c,--critical days
43              Minimum  number of days a certificate has to be valid to issue a
44              critical status. Can be a floating point number, e.g., 0.5.  De‐
45              fault: 15
46
47          --check-chain
48              The certificate chain cannot contain double or root certificates
49
50          --check-ciphers grade
51              Check the offered ciphers
52
53          --check-ciphers-warnings
54              Critical if nmap reports a warning for an offered cipher
55
56          --check-http-headers
57              Check the HTTP headers for best practices
58
59          --check-ssl-labs-warn grade
60              SSL Labs grade on which to warn
61
62          --clientpass phrase
63              Set passphrase for client certificate.
64
65          --configuration file
66              Read options from the specified file
67
68          --crl
69              Check revocation via CRL (requires --rootcert-file)
70
71          --curl-bin path
72              Path of the curl binary to be used
73
74          --custom-http-header string
75              Custom HTTP header sent when getting the cert example: 'X-Check-
76              Ssl-Cert: Foobar=1'
77
78          --dane
79              Verify that valid DANE records exist (since OpenSSL 1.1.0)
80
81          --dane 211
82              Verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1)  TLSA  record
83              exists
84
85          --dane 301
86              Verify  that  a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record
87              exists
88
89          --dane 302
90              Verify that a valid DANE-EE(3) Cert(0) SHA2-512(2)  TLSA  record
91              exists
92
93          --dane 311
94              Verify  that  a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record
95              exists
96
97          --dane 312
98              Verify that a valid DANE-EE(3) SPKI(1) SHA2-512(1)  TLSA  record
99              exists
100
101          --date path
102              Path of the date binary to be used
103
104       -d,--debug
105              Produce debugging output (can be specified more than once)
106
107          --debug-cert
108              Store the retrieved certificates in the current directory
109
110          --debug-file file
111              Write the debug messages to file
112
113          --debug-headers
114              Store the retrieved HTLM headers in the headers.txt file
115
116          --debug-time
117              Write timing information in the debugging output
118
119          --default-format
120              Print the default output format and exit
121
122          --dig-bin path
123              Path of the dig binary to be used
124
125          --dtls
126              Use the DTLS protocol
127
128          --dtls1
129              Use the DTLS protocol 1.0
130
131          --dtls1_2
132              Use the DTLS protocol 1.2
133
134       -e,--email address
135              Pattern to match the email address contained in the certificate
136
137          --ecdsa
138              Signature algorithm selection: force ECDSA certificate
139
140          --element number
141              Check up to the N cert element from the beginning of the chain
142
143          --file-bin path
144              Path of the file binary to be used
145
146          --fingerprint SHA1
147              Pattern to match the SHA1-Fingerprint
148
149          --first-element-only
150              Verify just the first cert element, not the whole chain
151
152          --force-dconv-date
153              Force the usage of dconv for date computations
154
155          --force-perl-date
156              Force the usage of Perl for date computations
157
158          --format FORMAT
159              Format  output template on success, for example: '%SHORTNAME% OK
160              %CN% from %CA_ISSUER_MATCHED%'
161              List of possible variables:
162              - %CA_ISSUER_MATCHED%
163              - %CHECKEDNAMES%
164              - %CN%
165              - %DATE%
166              - %DAYS_VALID%
167              - %DYSPLAY_CN%
168              - %HOST%
169              - %OCSP_EXPIRES_IN_HOURS%
170              - %OPENSSL_COMMAND%
171              - %PORT%
172              - %SELFSIGNEDCERT%
173              - %SHORTNAME%
174              - %SIGALGO%
175              - %SSL_LABS_HOST_GRADE%
176              See --default-format for the default
177
178          --grep-bin path
179              Path of the grep binary to be used
180
181       -h,--help,-?
182              This help message
183
184          --http-headers-path path
185              The path to be used to fetch HTTP headers
186
187          --http-use-get
188              Use GET instead of HEAD (default) for the HTTP related checks
189
190       -i,--issuer issuer
191              Pattern to match the issuer of the certificate
192
193         --ignore-altnames
194              Ignore alternative names when matching pattern specified  in  -n
195              (or the host name)
196
197         --ignore-connection-problems [state]
198              In case of connection problems returns OK or the optional state
199
200          --ignore-exp
201              Ignore expiration date
202
203          --ignore-host-cn
204              Do not complain if the CN does not match the host name
205
206          --ignore-incomplete-chain
207              Do not check chain integrity
208
209          --ignore-maximum-validity
210              Ignore the certificate maximum validity
211
212          --ignore-ocsp
213              Do not check revocation with OCSP
214
215          --ignore-ocsp-errors
216              Continue if the OCSP status cannot be checked
217
218          --ignore-ocsp-timeout
219              Ignore OCSP result when timeout occurs while checking
220
221          --ignore-sct
222              Do not check for signed certificate timestamps (SCT)
223
224          --ignore-sig-alg
225              Do not check if the certificate was signed with SHA1 or MD5
226
227          --ignore-ssl-labs-cache
228              Force a new check by SSL Labs (see -L)
229
230          --ignore-tls-renegotiation
231              Ignore the TLS renegotiation check
232
233          --inetproto protocol
234              Force IP version 4 or 6
235
236          --info
237              Print certificate information
238
239          --init-host-cache
240              Initialize the host cache
241
242          --issuer-cert-cache dir
243              Directory where to store issuer certificates cache
244
245          --jks-alias alias
246              Alias name of the Java KeyStore entry (requires --file)
247
248       -K,--clientkey path
249              Use client certificate key to authenticate
250
251       -L,--check-ssl-labs grade
252              SSL    Labs    assessment    (please    check    https://www.ss
253              llabs.com/about/terms.html). Critical if the grade is lower than
254              specified.
255
256          --long-output list
257              Append  the  specified  comma  separated (no spaces) list of at‐
258              tributes to the plugin output on additional  lines.   Valid  at‐
259              tributes  are: enddate, startdate, subject, issuer, modulus, se‐
260              rial, hash, email, ocsp_uri and fingerprint. 'all' will  include
261              all the available attributes.
262
263       -m,--match name
264              Pattern  to  match  the CN or AltName (can be specified multiple
265              times)
266
267          --maximum-validity [days]
268              The maximum validity of the certificate must not  exceed  'days'
269              (default 397). This check is automatic for HTTPS
270
271          --nmap-bin path
272              Path of the nmap binary to be used
273
274          --no-perf
275              Do not show performance data
276
277          --no-proxy
278              Ignore the http_proxy and https_proxy environment variables
279
280          --no-proxy-curl
281              Ignore  the http_proxy and https_proxy environment variables for
282              curl
283
284          --no-proxy-s_client
285              Ignore the http_proxy and https_proxy environment variables  for
286              openssl s_client
287
288          --no-ssl2
289              Disable SSL version 2
290
291          --no-ssl3
292              Disable SSL version 3
293
294          --no-tls1
295              Disable TLS version 1
296
297          --no-tls1_1
298              Disable TLS version 1.1
299
300          --no-tls1_3
301              Disable TLS version 1.3
302
303          --no-tls1_2
304              Disable TLS version 1.2
305
306          --not-issued-by issuer
307              Check  that  the  issuer  of  the certificate does not match the
308              given pattern
309
310          --not-valid-longer-than days
311              Critical if the certificate validity is longer than  the  speci‐
312              fied period
313
314       -o,--org org
315              Pattern to match the organization of the certificate
316
317          --ocsp-critical hours
318              Minimum  number of hours an OCSP response has to be valid to is‐
319              sue a critical status
320
321           --ocsp-warning hours
322              Minimum number of hours an OCSP response has to be valid to  is‐
323              sue a warning status
324
325          --openssl path
326              Path of the openssl binary to be used
327
328       -p,--port port
329              TCP port (default 443)
330
331       --precision digits
332              Number  of decimal places for durations: defaults to 0 if criti‐
333              cal or warning are integers, 2 otherwise
334
335       -P,--protocol protocol
336              Use the specific protocol: ftp, ftps, http, https (default),  h2
337              (HTTP/2),  imap,  imaps,  irc,  ircs,  ldap, ldaps, mysql, pop3,
338              pop3s, postgres, sieve, smtp,  smtps,  tds,  xmpp,  xmpp-server,
339              ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS
340              using StartTLS.
341              These protocols switch to TLS using StartTLS:  ftp,  imap,  irc,
342              ldap, mysql, pop3, smtp.
343
344          --password source
345              Password source for a local certificate, see the PASS PHRASE AR‐
346              GUMENTS  section  openssl(1)   TP        --prometheus   Generate
347              Prometheus/OpenMetrics output
348
349          --proxy proxy
350              Set http_proxy and the s_client -proxy option
351
352          --python-bin path
353              Path of the python binary to be used
354
355       -q,--quiet
356              Do not produce any output
357
358       -r,--rootcert cert
359              Root certificate or directory to be used for certificate valida‐
360              tion (passed to openssl's -CAfile or -CApath)
361
362          --require-client-cert [list]
363              The server must accept a client certificate. 'list'  is  an  op‐
364              tional comma separated list of expected client certificate CAs
365
366          --require-dnssec
367              Require DNSSEC
368
369          --require-http-header header
370              Require the specified HTTP header (e.g., X-Frame-Options)
371
372          --require-no-http-header header
373              Require  the  absence of the specified HTTP header (e.g., X-Pow‐
374              ered-By)
375
376          --require-no-ssl2
377              Critical if SSL version 2 is offered
378
379          --require-no-ssl3
380              Critical if SSL version 3 is offered
381
382          --require-no-tls1
383              Critical if TLS 1 is offered
384
385          --require-no-tls1_1
386              Critical if TLS 1.1 is offered
387
388          --require-ocsp-stapling
389              Require OCSP stapling
390
391           --require-purpose usage
392              Require the specified key usage  (can  be  specified  more  then
393              once)
394
395           --require-purpose-critical
396              The key usage must be critical
397
398           --require-security-header header
399              Require  the  specified  HTTP security header (e.g., X-Frame-Op‐
400              tions)
401
402           --require-security-headers
403              Require all the HTTP security headers:
404                Content-Security-Policy
405                Permissions-Policy
406                Referrer-Policy
407                strict-transport-security
408                X-Content-Type-Options
409                X-Frame-Options
410
411          --resolve ip
412              Provide a custom IP address for the specified host
413
414          --rootcert-dir dir
415              Root directory to be used for certificate validation (passed  to
416              openssl's -CApath) overrides option -r,--rootcert
417
418          --rootcert-file cert
419              Root  certificate  to be used for certificate validation (passed
420              to openssl's -CAfile) overrides option -r,--rootcert
421
422          --rsa
423              Signature algorithm selection: force RSA certificate
424
425       -s,--selfsigned
426              Allow self-signed certificates
427
428          --serial serialnum
429              Pattern to match the serial number
430
431       --skip-element number
432              Skip checks on the Nth cert element (can be  specified  multiple
433              times)
434
435          --sni name
436              Set the TLS SNI (Server Name Indication) extension in the Clien‐
437              tHello message to 'name'
438
439          --ssl2
440              Force SSL version 2
441
442          --ssl3
443              Force SSL version 3
444
445       -t,--timeout seconds
446              Timeout after the specified time (defaults to 120 seconds)
447
448          --temp dir
449              Directory where to store the temporary files
450
451          --terse
452              Terse output (also see --verbose)
453
454          --tls1
455              Force TLS version 1
456
457          --tls1_1
458              Force TLS version 1.1
459
460          --tls1_2
461              Force TLS version 1.2
462
463          --tls1_3
464              Force TLS version 1.3
465
466       -u,--url URL
467              HTTP request URL
468
469          --user-agent string
470              User agent that shall be used for HTTPS connections
471
472       -v,--verbose
473              Verbose output (can be specified more than once)
474
475       -V,--version
476              Version
477
478       -w,--warning days
479              Minimum number of days a certificate has to be valid to issue  a
480              warning status. Might be a floating point number, e.g., 0.5. De‐
481              fault: 20
482
483          --xmpphost name
484              Specify the host for the 'to' attribute of the stream element
485
486       -4     Force IPv4
487
488       -6     Force IPv6
489

DEPRECATED OPTIONS

491          --altnames
492              Match the pattern specified in -n with alternate names too  (en‐
493              abled by default)
494
495       -n,--cn name
496              Pattern  to  match  the CN or AltName (can be specified multiple
497              times)
498
499          --curl-user-agent string
500              User agent that curl shall use to obtain the issuer cert
501
502       -d,--days days
503              Minimum number of days  a  certificate  has  to  be  valid  (see
504              --critical and --warning)
505
506       -N,--host-cn
507              Match CN with the host name (enabled by default)
508
509          --no_ssl2
510              Disable SSLv2 (deprecated use --no-ssl2)
511
512          --no_ssl3
513              Disable SSLv3 (deprecated use --no-ssl3)
514
515           --no_tls1
516              Disable TLSv1 (deprecated use --no-tls1)
517
518          --no_tls1_1
519              Disable TLSv1.1 (deprecated use --no-tls1_1)
520
521          --no_tls1_2
522              Disable TLSv1.1 (deprecated use --no-tls1_2)
523
524          --no_tls1_3
525              Disable TLSv1.1 (deprecated use --no-tls1_3)
526
527          --ocsp
528              Check revocation via OCSP (enabled by default)
529
530          --require-hsts
531              Require  HTTP  Strict  Transport  Security (deprecated use --re‐
532              quire-security-header strict-transport-security)
533
534           --require-security-headers-path path
535              the path to be used to fetch HTTP security headers
536
537          --require-san
538              Require the presence of a Subject Alternative Name extension
539
540          --require-x-frame-options [path]
541              Require the presence of the X-Frame-Options HTTP header.  'path'
542              is  the  optional  path  to  be used in the URL to check for the
543              header (deprecated use --require-security-header X-Frame-Options
544              and --require-security-headers-path path)
545
546       -S,--ssl version
547              Force SSL version (2,3) (see: --ssl2 or --ssl3)
548
549

CONFIGURATION

551       Command   line  options  can  be  specified  in  a  configuration  file
552       (${HOME}/.check_ssl_certrc). For example
553
554         $ cat ${HOME}/.check_ssl_certrc
555         --verbose
556         --critical 20
557         --warning 40
558
559       Options specified in the configuration file are read before  processing
560       the arguments and can be overridden.
561
562

NOTES

564       If the host has multiple certificates and the installed openssl version
565       supports the -servername option it is possible to specify the  TLS  SNI
566       (Server Name Identificator) with the -N (or --host-cn) option.
567
568

EXIT STATUS

570       check_ssl_cert returns a zero exist status if it finds no errors, 1 for
571       warnings, 2 for a critical errors and 3 for unknown problems
572

BUGS

574       Please      report      bugs       to:       https://github.com/matteo
575       corti/check_ssl_cert/issues
576
577

EXAMPLE

579       check_ssl_cert --host github.com --all-local
580
581

SEE ALSO

583       openssl(1), openssl-x509(1)
584
585
586
5872.54.0                           October, 2022               check_ssl_cert(1)
Impressum