Provided by: monitoring-plugins-contrib_37.20211217ubuntu1_amd64 
NAME
check_ssl_cert - checks the validity of X.509 certificates
SYNOPSIS
check_ssl_cert -H host [OPTIONS]
check_ssl_cert -f file [OPTIONS]
DESCRIPTION
check_ssl_cert A shell script (that can be used as a Nagios/Icinga plugin) to check an
SSL/TLS connection
ARGUMENTS
-f,--file file
local file path (works with -H localhost only) with -f you can not only pass a x509
certificate file but also a certificate revocation list (CRL) to check the validity
period
-H,--host host
server
OPTIONS
-A,--noauth
ignore authority warnings (expiration only)
--all
enables all the possible optional checks at the maximum level
--all-local
enables all the possible optional checks at the maximum level (without SSL-Labs)
--allow-empty-san
allow certificates without Subject Alternative Names (SANs)
-C,--clientcert path
use client certificate to authenticate
-c,--critical days
minimum number of days a certificate has to be valid to issue a critical status.
Can be a floating point number, e.g., 0.5. Default: 15
--check-ciphers grade
checks the offered ciphers
--check-ciphers-warnings
critical if nmap reports a warning for an offered cipher
--check-ssl-labs-warn grade
SSL Labs grade on which to warn
--clientpass phrase
set passphrase for client certificate.
--crl
checks revocation via CRL (requires --rootcert-file)
--curl-bin path
path of the curl binary to be used
--curl-user-agent string
user agent that curl shall use to obtain the issuer cert
--custom-http-header string
custom HTTP header sent when getting the cert example: 'X-Check-Ssl-Cert: Foobar=1'
-d,--debug
produces debugging output (can be specified more than once)
--dane
verify that valid DANE records exist (since OpenSSL 1.1.0)
--dane 211
verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists
--dane 301
verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists
--dane 302
verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record exists
--dane 311
verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists
--dane 312
--date path
path of the date binary to be used
--debug-cert
stores the retrieved certificates in the current directory
--debug-file file
writes the debug messages to file
--debug-time
writes timing information in the debugging output
--dig-bin path
path of the dig binary to be used
-e,--email address
pattern to match the email address contained in the certificate
--ecdsa
signature algorithm selection: force ECDSA certificate
--element number
checks up to the N cert element from the beginning of the chain
--file-bin path
path of the file binary to be used
--fingerprint SHA1
pattern to match the SHA1-Fingerprint
--first-element-only
verify just the first cert element, not the whole chain
--force-dconv-date
force the usage of dconv for date computations
--force-perl-date
force the usage of Perl for date computations
--format FORMAT
format output template on success, for example: %SHORTNAME% OK %CN% from
%CA_ISSUER_MATCHED%
-h,--help,-?
this help message
--http-use-get
use GET instead of HEAD (default) for the HTTP related checks
-i,--issuer issuer
pattern to match the issuer of the certificate
--ignore-altnames
ignores alternative names when matching pattern specified in -n (or the host name)
--ignore-connection-problems [state]
in case of connection problems returns OK or the optional state
--ignore-exp
ignore expiration date
--ignore-host-cn
do not complain if the CN does not match the host name
--ignore-incomplete-chain
does not check chain integrity
--ignore-ocsp
do not check revocation with OCSP
--ignore-ocsp-errors
continue if the OCSP status cannot be checked
--ignore-ocsp-timeout
ignore OCSP result when timeout occurs while checking
--ignore-sct
do not check for signed certificate timestamps (SCT)
--ignore-sig-alg
do not check if the certificate was signed with SHA1 or MD5
--ignore-ssl-labs-cache
Forces a new check by SSL Labs (see -L)
--ignore-tls-renegotiation
Ignores the TLS renegotiation check
--inetproto protocol
Force IP version 4 or 6
--info
Prints certificate information
--issuer-cert-cache dir
directory where to store issuer certificates cache
-K,--clientkey path
use client certificate key to authenticate
-L,--check-ssl-labs grade
SSL Labs assessment (please check https://www.ssllabs.com/about/terms.html).
Critical if the grade is lower than specified.
--long-output list
append the specified comma separated (no spaces) list of attributes to the plugin
output on additional lines. Valid attributes are: enddate, startdate, subject,
issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include
all the available attributes.
-n,--cn name
pattern to match the CN of the certificate (can be specified multiple times)
--nmap-bin path
path of the nmap binary to be used
--no-perf
do not show performance data
--no-proxy
ignores the http_proxy and https_proxy environment variables
--no-proxy-curl
ignores the http_proxy and https_proxy environment variables for curl
--no-proxy-s_client
ignores the http_proxy and https_proxy environment variables for openssl s_client
--no-ssl2
disable SSL version 2
--no-ssl3
disable SSL version 3
--no-tls1
disable TLS version 1
--no-tls1_1
disable TLS version 1.1
--no-tls1_3
disable TLS version 1.3
--no-tls1_2
disable TLS version 1.2
--not-issued-by issuer
check that the issuer of the certificate does not match the given pattern
--not-valid-longer-than days
critical if the certificate validity is longer than the specified period
-o,--org org
pattern to match the organization of the certificate
--ocsp-critical hours
minimum number of hours an OCSP response has to be valid to issue a critical status
--ocsp-warning hours
minimum number of hours an OCSP response has to be valid to issue a warning status
--openssl path
path of the openssl binary to be used
-p,--port port
TCP port
-P,--protocol protocol
use the specific protocol: ftp, ftps, http, https (default), h2 (HTTP/2), imap,
imaps, irc, ircs, ldap, ldaps, mysql, pop3, pop3s, postgres, sieve, smtp, smtps,
xmpp, xmpp-server, ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS
using StartTLS.
These protocols switch to TLS using StartTLS: ftp, imap, irc, ldap, mysql, pop3,
smtp.
--password source
password source for a local certificate, see the PASS PHRASE ARGUMENTS section
openssl(1)
--prometheus
generates Prometheus/OpenMetrics output
--proxy proxy
sets http_proxy and the s_client -proxy option
-r,--rootcert cert
root certificate or directory to be used for certificate validation (passed to
openssl's -CAfile or -CApath)
--require-client-cert [list]
the server must accept a client certificate. 'list' is an optional comma separated
list of expected client certificate CAs
--require-no-ssl2
critical if SSL version 2 is offered
--require-no-ssl3
critical if SSL version 3 is offered
--require-no-tls1
critical if TLS 1 is offered
--require-no-tls1_1
critical if TLS 1.1 is offered
--require-ocsp-stapling
require OCSP stapling
--resolve ip
provides a custom IP address for the specified host
--rootcert-dir dir
root directory to be used for certificate validation (passed to openssl's -CApath)
overrides option -r,--rootcert
--rootcert-file cert
root certificate to be used for certificate validation (passed to openssl's
-CAfile) overrides option -r,--rootcert
--rsa
signature algorithm selection: force RSA certificate
-s,--selfsigned
allows self-signed certificates
--serial serialnum
pattern to match the serial number
--skip-element number
skips checks on the Nth cert element (can be specified multiple times)
--sni name
sets the TLS SNI (Server Name Indication) extension in the ClientHello message to
'name'
--ssl2
force SSL version 2
--ssl3
force SSL version 3
-t,--timeout
seconds timeout after the specified time (defaults to 120 seconds)
--temp dir
directory where to store the temporary files
--terse
terse output (also see --verbose)
--tls1
force TLS version 1
--tls1_1
force TLS version 1.1
--tls1_2
force TLS version 1.2
--tls1_3
force TLS version 1.3
-u,--url URL
HTTP request URL
-v,--verbose
verbose output (can be specified more than once)
-V,--version
version
-w,--warning days
minimum number of days a certificate has to be valid to issue a warning status.
Might be a floating point number, e.g., 0.5. Default: 20
--xmpphost name
specifies the host for the 'to' attribute of the stream element
-4 force IPv4
-6 force IPv6
DEPRECATED OPTIONS
--altnames
matches the pattern specified in -n with alternate names too (enabled by default)
-d,--days days
minimum number of days a certificate has to be valid (see --critical and --warning)
-N,--host-cn
match CN with the host name (enabled by default)
--no_ssl2
disable SSLv2 (deprecated use --no-ssl2)
--no_ssl3
disable SSLv3 (deprecated use --no-ssl3)
--no_tls1
disable TLSv1 (deprecated use --no-tls1)
--no_tls1_1
disable TLSv1.1 (deprecated use --no-tls1_1)
--no_tls1_2
disable TLSv1.1 (deprecated use --no-tls1_2)
--no_tls1_3
disable TLSv1.1 (deprecated use --no-tls1_3)
--ocsp
check revocation via OCSP (enabled by default)
--require-san
require the presence of a Subject Alternative Name extension
-S,--ssl version
force SSL version (2,3) (see: --ssl2 or --ssl3)
NOTES
If the host has multiple certificates and the installed openssl version supports the
-servername option it is possible to specify the TLS SNI (Server Name Identificator) with
the -N (or --host-cn) option.
EXIT STATUS
check_ssl_cert returns a zero exist status if it finds no errors, 1 for warnings, 2 for a
critical errors and 3 for unknown problems
BUGS
Please report bugs to: https://github.com/matteocorti/check_ssl_cert/issues
EXAMPLE
check_ssl_cert --host github.com --all-local
SEE ALSO
openssl(1), openssl-x509(1)