Hi,

I found that check_ssl_cert fails with multiple ocsp responders:

check_ssl_cert --debug --host netlock.hu
[DBG] OCSP: host = ocsp1.netlock.hu
ocsp2.netlock.hu
ocsp3.netlock.hu

I can fix it with addition of "head -n1", but I don't think it's the best way:

OCSP_URI="$($OPENSSL ${OPENSSL_COMMAND} ${OPENSSL_PARAMS} -in "${CERT}" -ocsp_uri -noout | head -n1)"

I've been using check_ssl_cert for years with Nagios to monitor multiple hosts and it's working great! Recently however, I renewed an SSL cert for www.perturb.org, but check_ssl_cert is reporting that the SSL cert is expired. Somehow it still has the expiration date from the previous cert. The command Nagios runs is:

check_ssl_cert -H perturb.org --protocol https --port 443 --cn www.perturb.org --warning 14 --critical 7 --altnames

Which does indeed generate a critical alarm. All the browsers I've checked are happy, as are various SSL checking services:

https://www.sslshopper.com/ssl-checker.html#hostname=www.perturb.org
https://www.digicert.com/help/

Am I missing something, or is check_ssl_cert just confused?

Hi,
I try to check the expiration date of a certificate (Let's Encrypt) on a FTP server.

But it fail with "Cannot verify certificate: unable to get local issuer certificate, unable to verify the first certificate"

Here the detail debug output :

In the above log, all seems to work to my eyes.

Don't think it's related to the Let's Encrypt root CA, because if I test with hellowolrd, it work's (./check_ssl_cert -H helloworld.letsencrypt.org -v -d)

Thank's for the help.

Best regards

See for example

./check_ssl_cert -H www.google.com -r ./check_ssl_cert --ocsp
Error querying OCSP responder
140735307825232:error:27076072:OCSP routines:PARSE_HTTP_LINE1:server response error:ocsp_ht.c:314:Code=400,Reason=Bad Request
SSL_CERT WARN www.google.com: |days=76;;;;

Thank you for your plug in. Its a a huge help for our organization. I have several web servers that host multiple websites. I am trying to make your plugin pull the SSL cert from the server for specific websites and check the date before it expires. I have it pulling the SSL cert but it says the cert is OK instead of warning or critical days I set in the command. Can you help me?

Here is my command:

./check_ssl_cert -H xxx.somedomain.com -N webserver.domain.com -w 30 -c 15

SSL_CERT OK - X.509 certificate for 'xxx.somedomain.com' from 'InCommon RSA Server CA' valid until Feb 26 23:59:59 2017 GMT (expires in 25 days)|days=25;;;;

I appreciate any help you can give. Thanks
Jeff

I had a check failing which turned out to be due to a DNS issue. However, check_ssl_cert reported the error message:

SSL_CERT CRITICAL: Error: verify depth is 6

Line 228 of check_ssl_cert reports the first line from the captured stderr from openssl, but if -verify 6 is specified then the first line to stderr is always "verify depth is 6". The actual output to stderr was:

verify depth is 6
getaddrinfo: Temporary failure in name resolution
connect:errno=110

So the second line is the error that should be reported.

(check_ssl_cert 1.18.0 on CentOS 6 and 7 with openssl-1.0.1e).

I'm having trouble getting the plugin to validate my XMPP server's cert, because it doesn't pass the correct hostname via openssl:

[root@localhost ~]# /usr/lib64/nagios/plugins/check_ssl_cert  --host server.example.com --port 5222 --protocol xmpp --cn example.com -d
#...
[DBG] '/usr/bin/openssl s_client' supports '-xmpphost': using -xmpphost server.example.com
#...
[DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client   -starttls xmpp -connect server.example.com:5222 -xmpphost server.example.com -verify 6     2> /tmp/check_ssl_certky8Jdg 1> /tmp/check_ssl_certNtjjQp
[DBG]   /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client   -starttls xmpp -connect server.example.com:5222 -xmpphost server.example.com -verify 6     2> /tmp/check_ssl_certky8Jdg 1> /tmp/check_ssl_certNtjjQp"
[...]
Error: verify depth is 6
SSL_CERT CRITICAL server.example.com: No certificate returned

Running the underlying openssl command manually, there's no cert:

[root@localhost ~]# /usr/bin/openssl s_client   -starttls xmpp -connect server.example.com:5222 -xmpphost server.example.com -verify 6 
verify depth is 6
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 300 bytes and written 134 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
---

...but if I pass the right host name as -xmpphost, I get the expected result:

[root@localhost ~]# /usr/bin/openssl s_client   -starttls xmpp -connect server.example.com:5222 -xmpphost example.com -verify 6 
verify depth is 6
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:/CN=example.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
#...

I can't see an obvious way to make the plugin pass the right name to the server. I tried using "--sni" but that doesn't work (maybe it should).

I am trying to use this on a centos 7 machine with nagios 4 + it all
works fine but how do we get it to warn show crytical on the number of
days? this appears not to work whatever we set the min number of days
too.

# ./check_ssl_cert -H www.cnn.com -w 1000
SSL_CERT OK - X.509 certificate for 'a.ssl.fastly.net' from 'DigiCert
SHA2 High Assurance Server CA' valid until Feb  6 12:00:00 2018 GMT
(expires in 707 days)|days=707;1000;;;

From @matteocorti on October 16, 2015 13:32

Original reporter: [email protected]

Hello,

please let me know if support of UCC (multiple) certificates planning.

Thank you.

Copied from original issue: matteocorti/nagios_plugins#132

OCSP revokation checking breaks if there are multiple issuer URIs. You would need to use only one of them or some kind of loop.

This is the part of the debug log (with curl output)

[DBG] OCSP: fetching issuer certificate http://cdp1.pca.dfn.de/tu-berlin-ca/pub/cacert/cacert.crt
http://cdp2.pca.dfn.de/tu-berlin-ca/pub/cacert/cacert.crt to /tmp/check_ssl_cert0BdFcl
curl: (3) Illegal characters found in URL
[DBG] OCSP: issuer certificate type:  empty
SSL_CERT UNKNOWN XXX.de: Unable to fetch OCSP issuer certificate.

For now I fixed it by adding this before line 1626: if [ -z "${ISSUER_CERT}" ]; then:

ISSUER_URI=$(echo "${ISSUER_URI}" | head -n1)

It would be nice to have a --ocsp-staple option, to not only test the OCSP servers, but also if your own servers include the staple.

hi Matteo,

would it be possible to return a warning if the ${CHECKEDNAMES} is not contained in the specified SNI name ?

Background:
When specifying a SNI name we would expect a certificate name that is contained in the SNI name (wildcard handling should be considered). Otherwise a warning should be issued.

Example:
Correct:
/usr/local/nagios-commands/check_ssl_certificate.sh --sni teamplay.siemens.com -H webclient.eu.api.teamplay.siemens.com -r /etc/ssl/certs
SSL_CERT OK - X.509 certificate 'teamplay.siemens.com' from 'Siemens Issuing CA Internet Server 2017' valid until Mar 21 13:30:13 2019 GMT (expires in 346 days)|days=346;;;;

Proposed warning situation:
/var/tmp/check_ssl_certificate.sh --sni teamplay-cn.siemens.com -H webclient.eu.api.teamplay.siemens.com -r /etc/ssl/certs
SSL_CERT WARN webclient.eu.api.teamplay.siemens.com: SNI name {teamplay-cn.siemens.com} does not match certificate name: *.azurewebsites.net|days=616;;;;

A possible solution would be this:

if [ -n "${SNI}" ]; then
  NWCN=${CN#\*.}
  if echo "${SNI}" | grep -qv "${NWCN}" ; then
    warning "SNI name {$SNI} does not match certificate name: ${CN}"
  fi
fi

Do you think this is worth adding to the check ?

tnx & bye //emil

check_ssl_cert -H expired.badssl.com --host-cn --sni expired.badssl.com correctly states that `SSL_CERT CRITICAL expired.badssl.com: x509 certificate is expired (was valid until Apr 12 23:59:59 2015 GMT)|days=-1173;;;;", but the return value is 0, whereas i expected 2 for critical.

according to git bisect this is a regression of 5b427ba, however it's rather late both in my physical and my internal/biological timezone, so i'm just reporting this and hoping you'll know where to look. upon first glance at the changes, i think that trapping on EXIT with cleanup is clever from a resource-cleanup point, but the plain exit (with a notable absence of a statuscode != 0) may cause this bug. i'm not sure how to properly fix this while keeping the nice cleanup mechanism.

Earlier this week, the Let's Encrypt OCSP servers went down. This caused all our checks to say 'service check timed out'. We used version 1.54.0 at the time, but looking at the diff, OCSP handling hasn't changed.

Not sure what the best way to deal with outage is. Perhaps --ignore-ocsp-timeout? Because I do want to see OCSP errors, but Nagios doesn't have to trip for dozens/hundreds of checks for a benign temporary error that is outside of my control.

I am seeing an error like this :

SSL_​CERT CRITICAL *.domain.​com: invalid CN ('*.domain.​com' does not match '*.domain.​com')

I am not sure how to tackle this issue.

I recently updated openssl to the latest version 1.1.0.e. Since the update I've had strange SSL issues with almost everything depending on SSL. I have multiple virtual hosts on a single box and have been using check_ssl_cert to validate each sub/domain's SSL certificates using

check_ssl_cert -H domain4.net -n domain4.net

This has all been successful prior to updating openssl where check_ssl_cert would return an OK status. Now since the openssl update check_ssl_cert is failing for any domain except the primary domain name that shows up in reverse DNS.

SSL_CERT CRITICAL domain4.net: invalid CN ('*.maindomain.net' does not match 'domain4.net')|days=1067;;;;

It seems that using -n should still continue to return OK statuses, but I am not sure what exactly changed with openssl that would suddenly cause this.

  -n,--cn name               pattern to match the CN of the certificate (can be specified multiple times)

I have not had success even with the latest check_ssl_cert-1.44.0 release.

@matteocorti

While testing I had a weird issue. Some certificates we made today in the same way as some other certificates we made last week somehow fail, as the ocsp url and header seems empty. We don't get why this certificate suddenly doesn't contain the ocsp url?

/usr/local/nagios/libexec/check_ssl_cert. -H servername -p 9200 -w 40 -c 10 --issuer 'MYISSUER' --tls1_2 --altnames --cn servername -d
[DBG] ROOT_CA =
expect not available
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_version: 1.47.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
[DBG] System info: Linux nagiosserver2.6.32-696.1.1.el6.x86_64 #1 SMP Tue Apr 11 17:13:24 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername servername
downloading certificate to /tmp
[DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client   -connect servername:9200 -servername servername -verify 6  -tls1_2   2> /tmp/check_ssl_cert.sheL9aBg 1> /tmp/check_ssl_cert.shDH5low
[DBG]   /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client   -connect servername:9200 -servername servername -verify 6  -tls1_2   2> /tmp/check_ssl_cert.sheL9aBg 1> /tmp/check_ssl_cert.shDH5low"
[DBG] storing a copy of the retrieved certificate in servername.crt
[DBG] storing a copy of the OpenSSL errors in servername.error
parsing the certificate file
[DBG]  subject= CN = servername
[DBG] CN         = servername
[DBG] CA_O       = City
[DBG] CA_CN      = MYISSUER
[DBG] SERIAL     = 57000007A9000007A9
[DBG] OCSP_URI   =
[DBG] ISSUER_URI = http://mypkiurl/pki/MYISSUER.crt
[DBG]     Signature Algorithm: sha256WithRSAEncryption
[DBG] Date computations: GNU
The certificate will expire in 729 day(s)
[DBG] check CN: servername 
[DBG] CN check finished
[DBG] check ISSUER: MYISSUER
[DBG] Checking expiration date
[DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_cert.shDH5low -noout -checkend 864000
[DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_cert.shDH5low -noout -checkend 3456000
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://mypkiurl/pki/MYISSUER.crt to /tmp/check_ssl_cert.sh4W6FfZ
[DBG] OCSP: issuer certificate type:  data
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: storing a copy of the retrieved issuer certificate to http://mypkiurl/pki/MYISSUER.crt
[DBG] OCSP: host =
[DBG] openssl ocsp support the -header option
[DBG] openssl ocsp -header requires 'key value'
[DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_cert.sh4W6FfZ -cert /tmp/check_ssl_cert.shDH5low  -url   -header HOST
[DBG] OCSP: response = Error parsing URL
[DBG] OCSP: response = OCSP utility
[DBG] OCSP: response = Usage ocsp [options]
[DBG] OCSP: response = where options are
[DBG] OCSP: response = -out file          output filename
[DBG] OCSP: response = -issuer file       issuer certificate
[DBG] OCSP: response = -cert file         certificate to check
[DBG] OCSP: response = -serial n          serial number to check
[DBG] OCSP: response = -signer file       certificate to sign OCSP request with
[DBG] OCSP: response = -signkey file      private key to sign OCSP request with
[DBG] OCSP: response = -sign_other file   additional certificates to include in signed request
[DBG] OCSP: response = -no_certs          don't include any certificates in signed request
[DBG] OCSP: response = -req_text          print text form of request
[DBG] OCSP: response = -resp_text         print text form of response
[DBG] OCSP: response = -text              print text form of request and response
[DBG] OCSP: response = -reqout file       write DER encoded OCSP request to "file"
[DBG] OCSP: response = -respout file      write DER encoded OCSP reponse to "file"
[DBG] OCSP: response = -reqin file        read DER encoded OCSP request from "file"
[DBG] OCSP: response = -respin file       read DER encoded OCSP reponse from "file"
[DBG] OCSP: response = -nonce             add OCSP nonce to request
[DBG] OCSP: response = -no_nonce          don't add OCSP nonce to request
[DBG] OCSP: response = -url URL           OCSP responder URL
[DBG] OCSP: response = -host host:n       send OCSP request to host on port n
[DBG] OCSP: response = -path              path to use in OCSP request
[DBG] OCSP: response = -CApath dir        trusted certificates directory
[DBG] OCSP: response = -CAfile file       trusted certificates file
[DBG] OCSP: response = -trusted_first     use trusted certificates first when building the trust chain
[DBG] OCSP: response = -VAfile file       validator certificates file
[DBG] OCSP: response = -validity_period n maximum validity discrepancy in seconds
[DBG] OCSP: response = -status_age n      maximum status age in seconds
[DBG] OCSP: response = -noverify          don't verify response at all
[DBG] OCSP: response = -verify_other file additional certificates to search for signer
[DBG] OCSP: response = -trust_other       don't verify additional certificates
[DBG] OCSP: response = -no_intern         don't search certificates contained in response for signer
[DBG] OCSP: response = -no_signature_verify don't check signature on response
[DBG] OCSP: response = -no_cert_verify    don't check signing certificate
[DBG] OCSP: response = -no_chain          don't chain verify response
[DBG] OCSP: response = -no_cert_checks    don't do additional checks on signing certificate
[DBG] OCSP: response = -port num                 port to run responder on
[DBG] OCSP: response = -index file       certificate status index file
[DBG] OCSP: response = -CA file          CA certificate
[DBG] OCSP: response = -rsigner file     responder certificate to sign responses with
[DBG] OCSP: response = -rkey file        responder key to sign responses with
[DBG] OCSP: response = -rother file      other certificates to include in response
[DBG] OCSP: response = -resp_no_certs     don't include any certificates in response
[DBG] OCSP: response = -nmin n           number of minutes before next update
[DBG] OCSP: response = -ndays n          number of days before next update
[DBG] OCSP: response = -resp_key_id       identify reponse by signing certificate key ID
[DBG] OCSP: response = -nrequest n        number of requests to accept (default unlimited)
[DBG] OCSP: response = -<dgst alg>     use specified digest in the request
[DBG] OCSP: response = 139659720894280:error:27072079:OCSP routines:OCSP_parse_url:error parsing url:ocsp_lib.c:254:
SSL_CERT CRITICAL servername : Error parsing URL
OCSP utility
Usage ocsp [options]
where options are
-out file          output filename
-issuer file       issuer certificate
-cert file         certificate to check
-serial n          serial number to check
-signer file       certificate to sign OCSP request with
-signkey file      private key to sign OCSP request with
-sign_other file   additional certificates to include in signed request
-no_certs          don't include any certificates in signed request
-req_text          print text form of request
-resp_text         print text form of response
-text              print text form of request and response
-reqout file       write DER encoded OCSP request to "file"
-respout file      write DER encoded OCSP reponse to "file"
-reqin file        read DER encoded OCSP request from "file"
-respin file       read DER encoded OCSP reponse from "file"
-nonce             add OCSP nonce to request
-no_nonce          don't add OCSP nonce to request
-url URL           OCSP responder URL
-host host:n       send OCSP request to host on port n
-path              path to use in OCSP request
-CApath dir        trusted certificates directory
-CAfile file       trusted certificates file
-trusted_first     use trusted certificates first when building the trust chain
-VAfile file       validator certificates file
-validity_period n maximum validity discrepancy in seconds
-status_age n      maximum status age in seconds
-noverify          don't verify response at all
-verify_other file additional certificates to search for signer
-trust_other       don't verify additional certificates
-no_intern         don't search certificates contained in response for signer
-no_signature_verify don't check signature on response
-no_cert_verify    don't check signing certificate
-no_chain          don't chain verify response
-no_cert_checks    don't do additional checks on signing certificate
-port num                port to run responder on
-index file      certificate status index file
-CA file                 CA certificate
-rsigner file    responder certificate to sign responses with
-rkey file       responder key to sign responses with
-rother file     other certificates to include in response
-resp_no_certs     don't include any certificates in response
-nmin n          number of minutes before next update
-ndays n                 number of days before next update
-resp_key_id       identify reponse by signing certificate key ID
-nrequest n        number of requests to accept (default unlimited)
-<dgst alg>     use specified digest in the request
139973889894216:error:27072079:OCSP routines:OCSP_parse_url:error parsing url:ocsp_lib.c:254:|days=729;40;10;;

Hi,

When checking a site that is hosted on AWS and is using loadbalancing, the check returns the error that the certificate is not returned.

/usr/lib64/nagios/plugins/check_ssl_cert -H an awshosted url -c 30 -w 60 -v -A
expect not available
timeout available (/usr/bin/timeout)
found GNU date with timestamp support: enabling date computations
downloading certificate to /tmp
Error: verify depth is 6
SSL_CERT CRITICAL an awshosted url: No certificate returned

Is there a way to get around this?
I have tried for several sites hosted on AWS, all returning in the same result.

From @matteocorti on October 16, 2015 13:17

Original reporter: [email protected]

the plugin does not time out after 15 seconds, at least when used with STARTTLS mode and when a connection can be established, but STARTTLS is not supported. Try the following for an example:

check_ssl_cert -H mx3.safe-mail.net -p 25 -P smtp

The connection hangs indefinitely, rather than returning an error condition after the timeout has expired. This doesn't seem to happen with all hosts that don't support STARTTLS, I've so far been unable to figure out what triggers this. Calling openssl s_client with the parameters used by the plugin does return a result.

Copied from original issue: matteocorti/nagios_plugins#71

Thank you for the code!
https://github.com/szepeviktor/debian-server-tools/blob/master/monitoring/ocsp-check.sh

Hi Matteo,

You are so helpful, so I'm getting greedy... ;-)

Can you implement a custom parameter or something like that for openssl to properly display utf-8 names in certificates?

Now check_ssl_cert displays this:

> ./check_ssl_cert --host netlock.hu
SSL_CERT OK - x509 certificate 'www.netlock.hu' from 'NetLock \xC3\x9Czleti (Class B) Tan\xC3\xBAs\xC3\xADtv\xC3\xA1nykiad\xC3\xB3' valid until Apr  6 08:29:01 2018 GMT (expires today)|days=0;;;;

But I would like to see this:

> ./check_ssl_cert_utf8 --host netlock.hu
SSL_CERT OK - x509 certificate 'www.netlock.hu' from 'NetLock Üzleti (Class B) Tanúsítványkiadó' valid until Apr  6 08:29:01 2018 GMT (expires today)|days=0;;;;

I achieve this by adding -nameopt oneline,-esc_msb to your code:

--- check_ssl_cert      2018-04-05 14:05:50.000000000 +0200
+++ check_ssl_cert_utf8 2018-04-05 16:06:13.881137137 +0200
@@ -1215,7 +1215,7 @@
                         echo "File is DER encoded CRL"
                     fi
                     OPENSSL_COMMAND="crl"
-                    OPENSSL_PARAMS="-inform DER"
+                    OPENSSL_PARAMS="-inform DER -nameopt oneline,-esc_msb"
                     OPENSSL_ENDDATE_OPTION="-nextupdate"
                 else
                     critical "'${FILE}' is not a valid certificate file"
@@ -1240,7 +1240,7 @@
         else
             # parameters for regular x509 certifcates
             OPENSSL_COMMAND="x509"
-            OPENSSL_PARAMS=""
+            OPENSSL_PARAMS="-nameopt oneline,-esc_msb"
             OPENSSL_ENDDATE_OPTION="-enddate"
         fi

But I don't know if this is the right way.

Regards,
Krisztián

Hi Matteo,

I found that if I run check_ssl_cert only with the --host option, then curl is missing from the command:

> check_ssl_cert_1.65.0 -d --host netlock.hu
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://aia1.netlock.hu/index.cgi?ca=cbca to /tmp/check_ssl_cert_1.65.0W8PjcG
[DBG] executing with timeout (15s):  --silent --location http://aia1.netlock.hu/index.cgi?ca=cbca > /tmp/check_ssl_cert_1.65.0W8PjcG
[DBG]   /usr/bin/timeout 15 /bin/sh -c " --silent --location http://aia1.netlock.hu/index.cgi?ca=cbca > /tmp/check_ssl_cert_1.65.0W8PjcG"
[DBG] OCSP: issuer certificate type:  empty

But there is no problem running like this:

> check_ssl_cert_1.65.0 -d --host netlock.hu --check-ssl-labs A
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://aia1.netlock.hu/index.cgi?ca=cbca to /tmp/check_ssl_cert_1.65.0EhK8Ws
[DBG] executing with timeout (15s): /usr/bin/curl --silent --location http://aia1.netlock.hu/index.cgi?ca=cbca > /tmp/check_ssl_cert_1.65.0EhK8Ws
[DBG]   /usr/bin/timeout 15 /bin/sh -c "/usr/bin/curl --silent --location http://aia1.netlock.hu/index.cgi?ca=cbca > /tmp/check_ssl_cert_1.65.0EhK8Ws"
[DBG] OCSP: issuer certificate type:  PEM certificate

Is it possible to add a feature to check the certificate via IPv4 or IPv6. By default IPv6 get's preference.

Would be nice to have an option to check via IPv4 or IPv6, thanks for your efforts!

Hello,

Thanks for this plugin, seems very useful. I was wondering if it is possible already to check for missing SAN attributes. As you might know Google has recently changes it's Chrome policy and no longer allows certificates who have no SAN. This is the error generated in Chrome:

Subject Alternative Name Missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

For now it's possible to ignore this issue, see https://www.chromium.org/administrators/policy-list-3#EnableCommonNameFallbackForLocalAnchors

But somehwere at the end of 2017 this will no longer be possible, so I'd love to monitor for missing SAN's. :)

Grtz

Willem

Hey here’s another interesting one for you, by all means let me know if you want me to throw it up as an Issue, I don’t want to be hassling you over email!

It looks like the check throws an error when it tries to evaluate the cert validity of a server that requires client certificate auth, so for example

./check_ssl_cert -H ******
SSL_CERT CRITICAL: Error: verify depth is 6

Openssl would exit with an error when run against this server, but I think you should still be able to get the server cert and validate it right?

Hi

I updated check_ssl_cert to v1.51.0 from this repo (before, we had v1.16.1 installed).

Now some of the checks return the following:

SSL_CERT CRITICAL 192.168.185.112: Can't get connection fd

But this is only returned, when our Icinga installation runs the check. When I run the check manually from an SSH session, it works:

root@app2-ewmon-prod ~ # sudo -u icinga /data/icinga/libexec/check_ssl_cert -H 192.168.185.112 -w 30 -c 7 --noauth --selfsigned
SSL_CERT OK - X.509 certificate 'mail.scalera.ch' from 'QuoVadis Global SSL ICA G2' valid until Jan 12 08:37:15 2018 GMT (expires in 151 days)|days=151;30;7;;

Any idea, why this might be so?

Thanks,
Alexander

Using check_ssl_cert on Debian stretch (9.x) produces the following problem:

$ ./check_ssl_cert -v  -H www.google.com
expect available (/usr/bin/expect)
timeout available (/usr/bin/timeout)
found GNU date with timestamp support: enabling date computations
'/usr/bin/openssl s_client' does not support '-servername': disabling virtual server support
downloading certificate to /tmp
parsing the certificate file
The certificate will expire in 69 day(s)
Certificate will not expire
unable to load certificate
140524407637120:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:crypto/asn1/asn1_lib.c:101:
SSL_CERT CRITICAL www.google.com: unable to load certificate
140378701767808:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: TRUSTED CERTIFICATE|days=69;;;;
$ dpkg -l | grep openssl
ii  openssl                                      1.1.0d-2                    amd64        Secure Sockets Layer toolkit - cryptographic utility

There is a Debian bugreport about that. Searching the network indicated that other applications have this issue too.

It seems dehydrated found a solution for this, maybe this helps.

Many thanks for looking into this and maintaining check_ssl_cert. Cheers, Jan.

Newest version of the plugin.
Debian: 8.8
Nagios Version: 4.2.4

The plugin runs always into a timeout.
Over the commandline:
sudo -u nagios ./check_ssl_cert -H hostname
working fine and i get a response but when nagios itself executes the command i get the error
(Service check timed out after 60.01 seconds)

Command:

define command{
	command_name	check_ssl_cert
	command_line	$USER1$/check_ssl_cert -H hostname
}

(defined already the hostname in the command to be sure it's not a other problem)

Debug:

**** BEGIN MACRO PROCESSING ***********
'$USER1$/check_ssl_cert -H hostname'
Done.  Final output: '/usr/local/nagios/libexec/check_ssl_cert -H hostname'
**** END MACRO PROCESSING *************

All other commands are working fine.

Any solutions?
Greetz

Hi,

the CN matching (-N) fails when having additional informations, like an email address, in the subject.

$ openssl x509 -in mycert.pem -subject -noout -nameopt utf8,oneline,-esc_msb
subject= C = DE, ST = Foo, L = Bar, O = Baz, OU = yatta zonk, CN = my.host.name, emailAddress = [email protected]
$ openssl x509 -in mycert.pem -subject -noout -nameopt utf8,oneline,-esc_msb | sed -e "s/^.*[[:space:]]CN[[:space:]]=[[:space:]]//" -e "s/\/[[:alpha:]][[:alpha:]]*=.*\$//"
my.host.name, emailAddress = [email protected]

The slash is not a field delimiter, so the second sed instruction doesn't do anything. Better replace it with a simple -e 's/,.*//':

--- nagios-plugins-ssl_cert-1.30.0/check_ssl_cert.cnmatch
+++ nagios-plugins-ssl_cert-1.30.0/check_ssl_cert
@@ -965,7 +965,7 @@ main() {
     DATE="$($OPENSSL x509 -in "${CERT}" -enddate -noout | sed -e "s/^notAfter=//")"

     CN="$($OPENSSL x509 -in "${CERT}" -subject -noout -nameopt utf8,oneline,-esc_msb |
-        sed -e "s/^.*[[:space:]]CN[[:space:]]=[[:space:]]//" -e "s/\/[[:alpha:]][[:alpha:]]*=.*\$//")"
+        sed -e "s/^.*[[:space:]]CN[[:space:]]=[[:space:]]//" -e "s/.*\$//")"

     CA_O="$($OPENSSL x509 -in "${CERT}" -issuer -noout | sed -e "s/^.*\/O=//" -e "s/\/[A-Z][A-Z]*=.*\$//")"
     CA_CN="$($OPENSSL x509 -in "${CERT}" -issuer -noout  | sed -e "s/^.*\/CN=//" -e "s/\/[A-Za-z][A-Za-z]*=.*\$//")"

kind regards

Philippe

Hello,

what about a feature extension to add proxy support for the ocsp "curl" request.

For short fix i've added just the proxy for every curl command.
CURL_BIN="$CURL_BIN --proxy http://proxy:8080"

Hi,

Comodo OCSP/CRT servers seem to be down at the moment, therefore the plugin hangs and is only killed by nagios plugin execution timeout. It would ne nice if the timeout parameter would also apply to the OCSP part.

After upgrading to V.1.51.0 the script returns an error message "The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address" if the certificate has no SAN extension.

Even though the CA/Browser Forum has recommended in 2011 that the SAN must contain at least one entry, this refers only to the use of ssl in web browsers (https) and not for other ssl uses.

RFC 2818 states: "If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used." This implies that it is perfectly legal to have a CN entry only.

It would be very helpful if there were a command line switch that would loosen the new requirement for SAN entries to be present and maybe make it the default behaviour at https checks only. I have a number of internal legacy sites that are perfectly correct but don't contain SAN entries. It makes no sense to take the risk and time of upgrading them for the only reason of pleasing my ssl cert check.

Hi !
I think it could be very very helpful to show this error like this:
"cannot find program: $1"

Thanks!

Hi,

Our HIDS gave us this alert on our Icinga 2 master:

Anomaly detected in file '/tmp/check_ssl_certmBpt6O'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit.

Which made me look in /tmp folder, discovering there are thousands of files like these:

-rw-------  1 nagios   nagios     2151 May 28 22:49 check_ssl_certZZScEn
-rw-------  1 nagios   nagios     1548 May 29 16:04 check_ssl_certZZSs7R
-rw-------  1 nagios   nagios     1548 May 25 19:40 check_ssl_certzZsYGe
-rw-------  1 nagios   nagios     2151 May 30 00:18 check_ssl_certZzTyMU
-rw-------  1 nagios   nagios     1548 May 24 17:10 check_ssl_certzZzlvN

What can we do to avoid this?

Thanks and regards,
iodisciple

Hi
Thanks for your work!
I'd like to suggest to add file as one of the required programs. It is not installed by default in some operating system.

ISSUER_URIs with trailing / causes cp to fail:

        if [ -n "${DEBUG}" ] ; then
            echo "[DBG] OCSP: storing a copy of the retrieved issuer certificate to ${ISSUER_URI##*/}"
            cp "${ISSUER_CERT}" "${ISSUER_URI##*/}"

[DBG] ISSUER_URI = http://cert.int-x3.letsencrypt.org/
...
[DBG] OCSP: storing a copy of the retrieved issuer certificate to
cp: reguläre Datei „“ kann nicht angelegt werden: Datei oder Verzeichnis nicht gefunden

Option description is:

--altnames matches the pattern specified in -n with alternate names too

With this option in use, I have the following issue:

./check_ssl_cert --altnames -N  -H mail.domain.com -p 465 -d
...
[DBG] check CN: *.domain.com
[DBG] the common name *.domain.com begins with a '*'
[DBG] checking if the common name matches ^domain.com$
[DBG] checking if the common name matches ^[A-Za-z0-9-]*[.]domain[.]com$
[DBG] the common name mail.domain.com matches ^[A-Za-z0-9-]*[.]domain[.]com$
[DBG] checking if the common name mail.domain.com matches ^*.domain.com$
[DBG] checking altnames against mail.domain.com
[DBG]   *.domain.com
[DBG]   domain.com
SSL_CERT CRITICAL *.domain.com: invalid CN ('*.domain.com' does not match 'mail.domain.com')|days=318;;;;

Without this option all is good:

./check_ssl_cert -N  -H mail.domain.com -p 465 -d
...
[DBG] check CN: *.domain.com
[DBG] the common name *.domain.com begins with a '*'
[DBG] checking if the common name matches ^domain.com$
[DBG] checking if the common name matches ^[A-Za-z0-9-]*[.]domain[.]com$
[DBG] the common name mail.domain.com matches ^[A-Za-z0-9-]*[.]domain[.]com$
[DBG] checking if the common name mail.domain.com matches ^*.domain.com$
[DBG] CN check finished
...

I think this option behaviour should be 'allow', not 'require', so any can use this option for unified check if certificate is good for hostname, whether this hostname will be in CN field or in 'Alternative name' field of certificate.

Proposed patch:

@@ -1250,7 +1250,7 @@
         fi

         # Check alterante names
-        if [ -n "${ALTNAMES}" ] ; then
+        if [ -n "${ALTNAMES}" ] && [ -z "$ok" ]; then

             for cn in ${COMMON_NAME} ; do

Or maybe support of wildcard should be added to alternate names check. (I don't know if CN value is always passed as first altname at all certificates too).

Hi,

I'm Using VERSION=1.46.0.
We're trying to check several webservers internally with your script. Unfortunately, using certs of the internal CA is causing an issue:
"SSL_CERT UNKNOWN weberserver1.lan: Unable to fetch OCSP issuer certificate"

Using the command with the parameter "-r" doesnt fix, as we referred to a local path where the ROOTCA.cer file is located.

Could you help us here? I guess the OCSP issue didnt occur before Version 1.46

Sometimes a server requires a client certificate and there is no way to get one for Nagios to use when making checks.

In these cases, it would be desirable for check_ssl_cert to check the validity of the server cert and do nothing more

Currently, if it tries to connect to such a server it fails mysteriously:

$ /usr/lib/nagios/plugins/check_ssl_cert -r /etc/ssl/certs -H host.example.org -w 30 -c 21 
SSL_CERT CRITICAL: Error: verify depth is 6

Looking at the openssl s_client output, I notice these lines:

139641715861136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1294:SSL alert number 40
139641715861136:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:618:

Could you consider adding an option to allow users to check such services?

Hi, the plugin was working perfectly for a longer time on CentOS 7.
Since yesterday, I get a timeout, and on manual execution/Ctrl-C the following error:

CSSL_CERT CRITICAL www.mydomain.de: Error opening issuer certificate /tmp/check_ssl_certZgQ1V0
139756719761312:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/tmp/check_ssl_certZgQ1V0','r')
139756719761312:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
unable to load certificate|days=884;;;;

Seeing "Unable to fetch OCSP issuer certificate." when checking a working domain.

Looks like the latest Centos 7 "file" command will recognise a PEM file so "file cert.crt" returns "cert.crt: PEM certificate" instead of "cert.crt: ASCII text". So some OCSP checks will fail.

Quick workaround is to change
# check the result
if ! file "${ISSUER_CERT}" | grep -q ': ASCII' ; then
to
# check the result
if ! file "${ISSUER_CERT}" | grep -q ': (ASCII|PEM)' ; then

Browsers are not case-sensitive when verifying the CN of a certificate, but check_ssl_cert is:

root@xxx:~# ./check_ssl_cert-1.30.0/check_ssl_cert -H xxx.xxx.gad.local --host-cn
SSL_CERT CRITICAL xxx.xxx.GAD.local: invalid CN ('xxx.xxx.GAD.local' does not match 'xxx.xxx.gad.local')|days=501;;;;

root@xxx:~# ./check_ssl_cert-1.31.0/check_ssl_cert -H xxx.xxx.gad.local --host-cn
SSL_CERT CRITICAL xxx.xxx.GAD.local: invalid CN ('xxx.xxx.GAD.local' does not match 'xxx.xxx.gad.local')|days=501;;;;

I think it should be default to ignore the case while checking the CN.

See https://sni.velox.ch for a list of SNI examples.

./check_ssl_cert -H alice.sni.velox.ch --ignore-ocsp -n bob.sni.velox.ch --Atlantis -n carol.sni.velox.ch

issues a critical status (which is correct) but with only one alternative name

./check_ssl_cert -H alice.sni.velox.ch --ignore-ocsp -n bob.sni.velox.ch --altnames -d

The result is OK as bob.sni.velox.ch is used for -servername but bob is not in the certificate delivered for alice

Hi,

I am attempting to use this plugin with Let's Encrypt issued certificates, but I keep running into the same error. At first I thought this was related to my specific certificate, but it seems to be a problem on all LE certificates. For testing, I used the helloworld.letsencrypt.org domain.

Is this a problem with my syntax or with the plugin?

I've tested it with various domains on various servers and have used different servers to test running the command from as well, all with the same result.

Hope you can help!

root@nagios:/home/myuser# ./check_ssl_cert -H helloworld.letsencrypt.org -c 5 -w 14 -v -d
[DBG] ROOT_CA =
expect not available
timeout available (/usr/bin/timeout)
[DBG] perl available: /usr/bin/perl
[DBG] date available: /bin/date
found GNU date with timestamp support: enabling date computations
[DBG] check_ssl_version: 1.51.0
[DBG] OpenSSL binary: /usr/bin/openssl
[DBG] OpenSSL version: OpenSSL 1.0.1f 6 Jan 2014
[DBG] System info: Linux nagios 3.13.0-73-generic #116-Ubuntu SMP Fri Dec 4 15:31:30 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
[DBG] Date computation: GNU
[DBG] '/usr/bin/openssl s_client' supports '-servername': using -servername helloworld.letsencrypt.org
downloading certificate to /tmp
[DBG] executing with timeout (15s): echo 'Q' | /usr/bin/openssl s_client -connect helloworld.letsencrypt.org:443 -servername helloworld.letsencrypt.org -verify 6 2> /tmp/check_ssl_certUtfcxw 1> /tmp/check_ssl_certfdDmsm
[DBG] /usr/bin/timeout 15 /bin/sh -c "echo 'Q' | /usr/bin/openssl s_client -connect helloworld.letsencrypt.org:443 -servername helloworld.letsencrypt.org -verify 6 2> /tmp/check_ssl_certUtfcxw 1> /tmp/check_ssl_certfdDmsm"
[DBG] storing a copy of the retrieved certificate in helloworld.letsencrypt.org.crt
[DBG] storing a copy of the OpenSSL errors in helloworld.letsencrypt.org.error
parsing the certificate file
[DBG] subject= CN = helloworld.letsencrypt.org
[DBG] CN = helloworld.letsencrypt.org
[DBG] CA_O = Let's Encrypt
[DBG] CA_CN = Let's Encrypt Authority X3
[DBG] SERIAL = 03138CE4E010536F7E690296073C556AC9D7
[DBG] OCSP_URI = http://ocsp.int-x3.letsencrypt.org
[DBG] ISSUER_URI = http://cert.int-x3.letsencrypt.org/
[DBG] Signature Algorithm: sha256WithRSAEncryption
[DBG] Date computations: GNU
The certificate will expire in 50 day(s)
[DBG] subjectAlternativeName = helloworld.letsencrypt.org
[DBG] Checking expiration date
[DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_certfdDmsm -noout -checkend 432000
[DBG] executing: /usr/bin/openssl x509 -in /tmp/check_ssl_certfdDmsm -noout -checkend 1209600
[DBG] Checking revokation via OCSP
[DBG] OCSP: fetching issuer certificate http://cert.int-x3.letsencrypt.org/ to /tmp/check_ssl_certaM7nxr
[DBG] OCSP: issuer certificate type: data
[DBG] OCSP: converting issuer certificate from DER to PEM
[DBG] OCSP: storing a copy of the retrieved issuer certificate to cert.int-x3.letsencrypt.org
[DBG] OCSP: host = ocsp.int-x3.letsencrypt.org
[DBG] openssl ocsp supports the -header option
[DBG] openssl ocsp -header requires 'key value'
[DBG] executing /usr/bin/openssl ocsp -no_nonce -issuer /tmp/check_ssl_certaM7nxr -cert /tmp/check_ssl_certfdDmsm -url http://ocsp.int-x3.letsencrypt.org -header HOST ocsp.int-x3.letsencrypt.org
[DBG] OCSP: response = Response Verify Failure
[DBG] OCSP: response = 140015886833312:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:85:
[DBG] OCSP: response = /tmp/check_ssl_certfdDmsm: good
[DBG] OCSP: response = This Update: Aug 13 16:00:00 2017 GMT
[DBG] OCSP: response = Next Update: Aug 20 16:00:00 2017 GMT
[DBG] Error: verify depth is 6
[DBG] Error: depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
[DBG] Error: verify error:num=20:unable to get local issuer certificate
[DBG] Error: verify return:1
[DBG] Error: depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
[DBG] Error: verify error:num=27:certificate not trusted
[DBG] Error: verify return:1
[DBG] Error: depth=0 CN = helloworld.letsencrypt.org
[DBG] Error: verify return:1
[DBG] Error: DONE
SSL_CERT CRITICAL helloworld.letsencrypt.org: Cannot verify certificate: unable to get local issuer certificate, certificate not trusted|days=50;14;5;;

Hi
thanks for your script
i have a question
i have a server web with multi-domains and virtual host on apache server
i have 2 domains
https://www.domain.com
https://www.domain2.com
when i run the check on https://www.domain2.com the check get the date of the SSL certificate of the first virtual host
below an example
./check_ssl_cert -H www.domain2.com
i got an answer like that
SSL_CERT OK - X.509 certificate '*.domain.com' from 'COMODO RSA Domain

any ideas ?

Thanks

Another interesting one is looking at the client certs a server is willing to accept (OpenSLS returns this as Trust Client Cert CAs), again I wrote a crude check for these (https://exchange.nagios.org/directory/Plugins/Security/Check_client_cert_CAs_sent/details) but it might be worth adding in to yours? So checking that certain CAs are included or not included in the server response.

hi,
with OpenSSL 1.1.0f 25 May 2017 using --procotol xmpp there is no cert returned.

running bash -x check_ssl_cert shows:

/usr/bin/openssl s_client -starttls xmpp -connect localhost:5222 -servername xmpphost -verify 6

which does connect, but not return a cert.

using

/usr/bin/openssl s_client -starttls xmpp -connect localhost:5222 -xmpphost xmpphost -verify 6

a proper cert is returned.

otherwise, good work!