{"id":18030869,"url":"https://github.com/atc0005/check-cert","last_synced_at":"2026-02-13T06:40:10.340Z","repository":{"id":37038050,"uuid":"268761412","full_name":"atc0005/check-cert","owner":"atc0005","description":"Go-based tooling to check/verify certs","archived":false,"fork":false,"pushed_at":"2024-10-25T12:29:25.000Z","size":4816,"stargazers_count":19,"open_issues_count":60,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-25T13:53:33.661Z","etag":null,"topics":["certificate","cli","discovery","golang","inspect","nagios","nagios-plugin","plugin","scanner"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/atc0005.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-06-02T09:45:10.000Z","updated_at":"2024-10-15T11:26:49.000Z","dependencies_parsed_at":"2023-09-23T18:34:16.045Z","dependency_job_id":"1526afec-f1af-4bd5-bf16-86c0f127f31f","html_url":"https://github.com/atc0005/check-cert","commit_stats":null,"previous_names":["atc0005/check-certs"],"tags_count":180,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atc0005%2Fcheck-cert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atc0005%2Fcheck-cert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atc0005%2Fcheck-cert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/atc0005%2Fcheck-cert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/atc0005","download_url":"https://codeload.github.com/atc0005/check-cert/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":233433540,"owners_count":18675598,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","cli","discovery","golang","inspect","nagios","nagios-plugin","plugin","scanner"],"created_at":"2024-10-30T09:15:25.273Z","updated_at":"2025-09-18T00:32:28.655Z","avatar_url":"https://github.com/atc0005.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- omit in toc --\u003e\n# check-cert\n\nGo-based tooling to check/verify certs (e.g., as part of a Nagios service check)\n\n[![Latest Release](https://img.shields.io/github/release/atc0005/check-cert.svg?style=flat-square)](https://github.com/atc0005/check-cert/releases/latest)\n[![Go Reference](https://pkg.go.dev/badge/github.com/atc0005/check-cert.svg)](https://pkg.go.dev/github.com/atc0005/check-cert)\n[![go.mod Go version](https://img.shields.io/github/go-mod/go-version/atc0005/check-cert)](https://github.com/atc0005/check-cert)\n[![Lint and Build](https://github.com/atc0005/check-cert/actions/workflows/lint-and-build.yml/badge.svg)](https://github.com/atc0005/check-cert/actions/workflows/lint-and-build.yml)\n[![Project Analysis](https://github.com/atc0005/check-cert/actions/workflows/project-analysis.yml/badge.svg)](https://github.com/atc0005/check-cert/actions/workflows/project-analysis.yml)\n\n\u003c!-- omit in toc --\u003e\n## Table of Contents\n\n- [Project home](#project-home)\n- [Overview](#overview)\n - [`check_cert`](#check_cert)\n - [Performance Data](#performance-data)\n - [`lscert`](#lscert)\n - [`cpcert`](#cpcert)\n - [`certsum`](#certsum)\n- [Features](#features)\n - [`check_cert`](#check_cert-1)\n - [`lscert`](#lscert-1)\n - [`cpcert`](#cpcert-1)\n - [`certsum`](#certsum-1)\n - [common](#common)\n- [Changelog](#changelog)\n- [Requirements](#requirements)\n - [Building source code](#building-source-code)\n - [Running](#running)\n- [Installation](#installation)\n - [From source](#from-source)\n - [Quick Start guide](#quick-start-guide)\n - [Detailed guide](#detailed-guide)\n - [Using release binaries](#using-release-binaries)\n- [Configuration options](#configuration-options)\n - [Expiration threshold calculations](#expiration-threshold-calculations)\n - [Asserting that expected Subject Alternate Names (SANs) are present](#asserting-that-expected-subject-alternate-names-sans-are-present)\n - [Skip hostname verification when leaf cert is missing SANs entries](#skip-hostname-verification-when-leaf-cert-is-missing-sans-entries)\n - [Applying or ignoring validation check results](#applying-or-ignoring-validation-check-results)\n - [`check_cert` plugin](#check_cert-plugin)\n - [`lscert` CLI tool](#lscert-cli-tool)\n - [`cpcert` CLI tool](#cpcert-cli-tool)\n - [`certsum` CLI tool](#certsum-cli-tool)\n - [Command-line arguments](#command-line-arguments)\n - [`check_cert`](#check_cert-2)\n - [`lscert`](#lscert-2)\n - [Flags](#flags)\n - [Positional Argument](#positional-argument)\n - [`cpcert`](#cpcert-2)\n - [Flags](#flags-1)\n - [Positional Arguments](#positional-arguments)\n - [`certsum`](#certsum-2)\n - [Configuration file](#configuration-file)\n- [Examples](#examples)\n - [`check_cert` Nagios plugin](#check_cert-nagios-plugin)\n - [OK results](#ok-results)\n - [WARNING results](#warning-results)\n - [CRITICAL results](#critical-results)\n - [Expiring certificate](#expiring-certificate)\n - [Expired certificate](#expired-certificate)\n - [Explicitly applying validation check results](#explicitly-applying-validation-check-results)\n - [`expiration`](#expiration)\n - [`hostname`](#hostname)\n - [`sans`](#sans)\n - [Explicitly ignoring validation check results](#explicitly-ignoring-validation-check-results)\n - [`expiration`](#expiration-1)\n - [`hostname`](#hostname-1)\n - [`sans`](#sans-1)\n - [`expiration`, `hostname`, `sans`](#expiration-hostname-sans)\n - [Reviewing a certificate file](#reviewing-a-certificate-file)\n - [`lscert` CLI tool](#lscert-cli-tool-1)\n - [Positional Argument](#positional-argument-1)\n - [Simple](#simple)\n - [Flags and Argument](#flags-and-argument)\n - [OK results](#ok-results-1)\n - [WARNING results](#warning-results-1)\n - [CRITICAL results](#critical-results-1)\n - [Reviewing a certificate file](#reviewing-a-certificate-file-1)\n - [`cpcert` CLI tool](#cpcert-cli-tool-1)\n - [Using positional arguments](#using-positional-arguments)\n - [Copying certificates from server](#copying-certificates-from-server)\n - [Copying certificates from file](#copying-certificates-from-file)\n - [Using flags](#using-flags)\n - [Copy everything](#copy-everything)\n - [Leaf certificate only](#leaf-certificate-only)\n - [Intermediate certificates only](#intermediate-certificates-only)\n - [Root certificates only](#root-certificates-only)\n - [`certsum` CLI tool](#certsum-cli-tool-1)\n - [Certificates Overview](#certificates-overview)\n - [CIDR range](#cidr-range)\n - [Partial range](#partial-range)\n - [Partial range and a single IP Address](#partial-range-and-a-single-ip-address)\n - [Partial range, CIDR range and a single IP Address](#partial-range-cidr-range-and-a-single-ip-address)\n - [Single IP Address and a FQDN](#single-ip-address-and-a-fqdn)\n - [Show all scan results](#show-all-scan-results)\n- [Troubleshooting](#troubleshooting)\n - [General](#general)\n - [Encoded payloads](#encoded-payloads)\n- [License](#license)\n- [References](#references)\n\n## Project home\n\nSee [our GitHub repo][repo-url] for the latest code, to file an issue or\nsubmit improvements for review and potential inclusion into the project.\n\n## Overview\n\nThis repo contains various tools used to review, copy, monitor \u0026 validate\ncertificates.\n\n| Tool Name | Description |\n| ------------ | -------------------------------------------------------------------------------------------------------------------------- |\n| `check_cert` | Nagios plugin used to monitor \u0026 validate certificate chains. |\n| `lscert` | CLI app used to generate a summary of certificate chain metadata and validation results. |\n| `cpcert` | CLI app used to copy and manipulate certificates. |\n| `certsum` | CLI app used to scan one or more given IP ranges or collection of name/FQDN values for certs and provide a summary report. |\n\n### `check_cert`\n\nNagios plugin used to monitor \u0026 perform validation checks of certificate\nchains.\n\nThe output is designed to provide the one-line summary needed by Nagios for\nquick identification of a problem while providing longer, more detailed\ninformation for use in email and Teams notifications\n([atc0005/send2teams](https://github.com/atc0005/send2teams)).\n\nValidation checks are applied in layers, with support for explicitly marking\nor flagging specific validation check results as \"ignored\". Ignored results\nare still listed, but in a separate section of the check results output (aka,\n\"report\") and are not considered when performing final plugin state (i.e.,\n`OK`, `WARNING`, `CRITICAL`).\n\nSome validation check results are ignored by default unless additional\ninformation is supplied. For example, the SANs list validation check result is\nignored unless the sysadmin provides a list of required SANs entries. Other\ncheck results may be ignored by default, but can be explicitly requested via a\nsupported flag keyword (see [configuration options](#configuration-options)\nfor more information).\n\nSee the [features list](#features) for the validation checks currently\nsupported by this plugin.\n\n---\n\nNOTE: The validation check behavior changes for `v0.8.0` are intended to be\nfully compatible with existing deployments. Please file a bug report if you\nfind that this is not the case.\n\nFor future releases, please review the release notes carefully for any\nbreaking changes.\n\n---\n\n#### Performance Data\n\nInitial support has been added for emitting Performance Data / Metrics, but\nrefinement suggestions are welcome.\n\nConsult the tables below for the metrics implemented thus far.\n\nPlease add to an existing\n[Discussion](https://github.com/atc0005/check-cert/discussions) thread\n(if applicable) or [open a new\none](https://github.com/atc0005/check-cert/discussions/new) with any\nfeedback that you may have. Thanks in advance!\n\n| Emitted Performance Data / Metric | Meaning |\n| --------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `time` | Runtime for plugin |\n| `plugin_output_size` | Total size of generated plugin output. Total content must fall within [max plugin output length restrictions](https://github.com/NagiosEnterprises/nagioscore/blob/a30a89e0a493da49416e32ed770e294b1fe800f5/include/nagios.h#L274-L280). |\n| `expires_leaf` | Days remaining before leaf (aka, \"server\") certificate expires. If multiple leaf certificates are present (invalid configuration), the one expiring soonest is reported. |\n| `expires_intermediate` | Days remaining before the next to expire intermediate certificate expires. |\n| `certs_present_leaf` | Number of leaf (aka, \"server\") certificates present in the chain. |\n| `certs_present_intermediate` | Number of intermediate certificates present in the chain. |\n| `certs_present_root` | Number of root certificates present in the chain. |\n| `certs_present_unknown` | Number of certificates present in the chain with an unknown scope (i.e., the plugin cannot determine whether a leaf, intermediate or root). Please [report this scenario](https://github.com/atc0005/check-cert/issues/new/choose). |\n| `life_remaining_leaf` | Percentage of remaining time before leaf (aka, \"server\") certificate expires. If multiple leaf certificates are present (invalid configuration), the one expiring soonest is reported. |\n| `life_remaining_intermediate` | Percentage of remaining time before the next to expire intermediate certificate expires. |\n\n### `lscert`\n\nThe `lscert` CLI app is used to generate a summary of certificate chain\nmetadata and validation results for quick review.\n\nIt can be used to quickly review the results of replacing a certificate\nand/or troubleshoot why connections to a certificate-enabled service may be\nfailing.\n\nCertificate metadata can be retrieved from:\n\n- a remote service at a specified fully-qualified domain name (e.g.,\n `www.github.com`) or IP Address and port (e.g., 443)\n- a local certificate \"bundle\" or standalone leaf certificate file\n\nIf specifying a host via IP Address, a hostname validation failure will be\nnoted unless:\n\n- you also specify the `DNS Name` or `hostname` that you wish to retrieve the\n certificate for\n- the IP Address is in the Subject Alternate Name (SANs) list for the\n certificate\n\nThis hostname validation failure can be ignored if you are only interested in\nviewing the details for the default certificate associated with the IP\nAddress.\n\n### `cpcert`\n\nThe `cpcert` CLI app is used to copy and manipulate certificates.\n\nCertificates can be copied from:\n\n- a remote service at a specified fully-qualified domain name (e.g.,\n `www.github.com`) or IP Address and port (e.g., 443)\n- a local certificate \"bundle\" or standalone leaf certificate file\n\nIf specifying a host via IP Address, the default certificate chain (instead of\nthe one specific to a dedicated virtual host) will be retrieved unless:\n\n- you also specify the `DNS Name` or `hostname` that you wish to retrieve the\n certificate for\n- the IP Address is in the Subject Alternate Name (SANs) list for the\n certificate\n\nSupport is provided to filter the given input certificate chain to specified\ncertificate types.\n\n### `certsum`\n\n`certsum` is a cert scanner prototype. This tool is currently of \"beta\" level\nquality; many of the exposed flags, help text and summary output are subject\nto change significantly in later releases.\n\nThis tool is intended for scanning one or more given IP ranges or collection\nof name/FQDN values in order to generate a report for discovered certificates.\nWhile intended for mass discovery this tool may be used to scan as few as one\ntarget.\n\nPerformance is likely to be acceptable as-is for smaller IP ranges, but may be\nadjusted as needed using the rate limit tuning flag (see the [configuration\noptions](#configuration-options) section for details). The current default\nvalue is an attempt to balance scanning speed against OS limitations on the\nnumber of open file handles. If adjusting this value, start with small\nincrements to determine best results for your environment.\n\nA default inactivity timeout is used to terminate the application if scanning\nattempts stall for a specified period of time. See the [configuration\noptions](#configuration-options) section for details.\n\nIP Addresses may be specified as comma-separated values:\n\n- individual IP Addresses\n- CIDR IP ranges\n- partial ranges\n - using partial implementation of octet range addressing (e.g.,\n 192.168.2.10-15)\n- Fully-qualified domain names (FQDNs)\n - needed if retrieving a non-default certificate chain (via\n [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) support)\n- Hostnames (**fragile**)\n - this is highly dependent on your DNS configuration, particularly any\n configured search list (aka, `DNS Suffix Search List` in Windows\n terminology) entries used to qualify short/hostname values\n\nSupport is present (though limited) for filtering \"OK\" status hosts and certs\nto either increase or reduce the amount of information provided in the\ngenerated summary output. Two summary modes are provided to control the level\nof detail in the provided output.\n\nNOTE: If using IP Addresses (or ranges), only the default certificate will be\naccessible to this tool. Use FQDNs in order to retrieve certificates using\n[SNI](https://en.wikipedia.org/wiki/Server_Name_Indication).\n\n## Features\n\n### `check_cert`\n\n- Verify certificate used by specified service\n\n- Verify local certificate \"bundle\" or standalone leaf certificate file\n\n- Detailed \"report\" of findings\n - certificate order\n - certificate type\n - status (OK, CRITICAL, WARNING)\n - SANs entries\n - serial number\n - issuer\n\n- Multiple certificate validation checks\n - Expiration status for all certificates in a chain\n - not expired\n - expiring \"soon\"\n - warning threshold\n - critical threshold\n - Hostname value for the leaf certificate in a chain\n - see subsection for skipping hostname verification when the leaf\n certificate is missing SANs entries in the [configuration\n options](#configuration-options) section for details\n - Subject Alternate Names (SANs) for the leaf certificate in a chain\n - if `SKIPSANSCHECKS` keyword is supplied as the value no SANs entry\n checks will be performed; this keyword is useful for defining a shared\n Nagios check command and service check where SANs list validation may\n not be desired for some certificate chains (e.g., those with a very long\n list of entries)\n\n- Optional support for skipping hostname verification for a certificate when\n the SANs list is empty\n- Optional support for ignoring expiring intermediate certificates\n- Optional support for ignoring expired intermediate certificates\n- Optional support for ignoring expiring root certificates\n- Optional support for ignoring expired root certificates\n- Optional support for omitting Subject Alternate Names (SANs) entries from\n plugin output\n- Optional support for embedding an encoded certificate metadata payload\n - disabled by default to retain existing plugin behavior\n - the intent is to \"shuttle\" a payload of certificate metadata in structured\n format from the plugin, to the monitoring system and to downstream tools\n (e.g., via API call) so that the payload can be retrieved, decoded, \u0026\n unmarshalled to a supported data structure for further certificate\n evaluation\n - see also the \u003chttps://github.com/atc0005/cert-payload\u003e and\n \u003chttps://github.com/atc0005/go-nagios\u003e projects for the data structures\n and supporting logic used in the encoding/decoding process\n- Optional support for embedding an encoded certificate metadata payload *with\n the original certificate chain included* in PEM encoded format\n - this is not enabled by default due to the significant increase in plugin\n output size\n- Optional support for overriding the default certificate metadata format\n version used when generating payloads\n\n### `lscert`\n\n- Verify certificate used by specified service\n\n- Verify local certificate \"bundle\" or standalone leaf certificate file\n\n- Optional generation of OpenSSL-like text output from target cert-enabled\n service or filename\n - thanks to the `grantae/certinfo` package\n\n- Detailed \"report\" of findings\n - certificate order\n - certificate type\n - status (OK, CRITICAL, WARNING)\n - SANs entries\n - serial number\n - issuer\n\n- Multiple certificate validation checks\n - Expiration status for all certificates in a chain\n - Hostname value for the leaf certificate in a chain\n - Subject Alternate Names (SANs) for the leaf certificate in a chain\n\n### `cpcert`\n\n- Copy certificate chain as-is from remote server\n\n- Filter given input file to specified types of certificates\n - e.g., \"keep leaf cert only\"\n - e.g., \"keep intermediates only\"\n\n### `certsum`\n\n- Generate summary of discovered certificates from given hosts (single or IP\n Address ranges, hostnames or FQDNs) and ports\n\n- Configurable rate limit\n\n- Specify one or many ports to scan for certificate chains\n\n- Configurable display of just \"problem\" results or all results\n\n- Choice of high-level summary/overview or separate output for each\n certificate in a chain\n\n- Configurable application timeout (i.e., help prevent stalling out)\n\n### common\n\nFeatures common to all tools provided by this project.\n\n- Retrieve certificate chain using\n [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication) support\n - attempted by default if the given server name/FQDN value was resolvable\n - server value can be overridden via the `dns-name` flag (see the\n [configuration options](#configuration-options) section for details)\n\n- Optional, leveled logging using `rs/zerolog` package\n - [`logfmt`][logfmt] format output\n - to `stderr` for `check_cert`\n - to `stdout` for `lscert` \u0026 `certsum`\n - choice of `disabled`, `panic`, `fatal`, `error`, `warn`, `info` (the\n default), `debug` or `trace`.\n\n- Optional, user-specified timeout value for TCP connection attempt\n\n## Changelog\n\nSee the [`CHANGELOG.md`](CHANGELOG.md) file for the changes associated with\neach release of this application. Changes that have been merged to `master`,\nbut not yet an official release may also be noted in the file under the\n`Unreleased` section. A helpful link to the Git commit history since the last\nofficial release is also provided for further review.\n\n## Requirements\n\nThe following is a loose guideline. Other combinations of Go and operating\nsystems for building and running tools from this repo may work, but have not\nbeen tested.\n\n### Building source code\n\n- Go\n - see this project's `go.mod` file for *preferred* version\n - this project tests against [officially supported Go\n releases][go-supported-releases]\n - the most recent stable release (aka, \"stable\")\n - the prior, but still supported release (aka, \"oldstable\")\n- GCC\n - if building with custom options (as the provided `Makefile` does)\n- `make`\n - if using the provided `Makefile`\n\n### Running\n\n- Windows 10\n- Ubuntu Linux 18.04+\n- Red Hat Enterprise Linux 7+\n- macOS 11 Big Sur\n - NOTE: You may need to build from source using an older Go release if your\n version of macOS is not supported by the current \"oldstable\" version of Go\n - \"stable\" release builds for this project are usually generated from the\n most recent \"oldstable\" Go release version while \"dev\" or \"unstable\"\n release builds are generated from the most recent \"stable\" or release\n candidate Go release\n\n## Installation\n\n### From source\n\n#### Quick Start guide\n\nThis provides binaries based on the latest stable tag generated using the\nequivalent of `go build`.\n\n1. [Download][go-docs-download] Go\n1. [Install][go-docs-install] Go\n1. `go install github.com/atc0005/check-cert/cmd/certsum@latest`\n1. `go install github.com/atc0005/check-cert/cmd/lscert@latest`\n1. `go install github.com/atc0005/check-cert/cmd/cpcert@latest`\n1. `GOBIN=\"${PWD}\" go install github.com/atc0005/check-cert/cmd/check_cert@latest`\n1. `sudo mv check_cert /path/to/plugins/`\n - e.g., `/usr/lib/nagios/plugins/` or `/usr/lib64/nagios/plugins/`,\n depending on what distro you are running\n\nPer `go help install`:\n\n\u003e Executables are installed in the directory named by the GOBIN environment\n\u003e variable, which defaults to $GOPATH/bin or $HOME/go/bin if the GOPATH\n\u003e environment variable is not set. Executables in $GOROOT\n\u003e are installed in $GOROOT/bin or $GOTOOLDIR instead of $GOBIN.\n\n#### Detailed guide\n\nThis provides binaries based on the state of the current checked out branch\n(or tag) using either `go build` or if using the provided Makefile, build\nsettings intended to optimize for size and to prevent dynamic linkage.\n\n1. [Download][go-docs-download] Go\n1. [Install][go-docs-install] Go\n - NOTE: Pay special attention to the remarks about `$HOME/.profile`\n1. Clone the repo\n 1. `cd /tmp`\n 1. `git clone https://github.com/atc0005/check-cert`\n 1. `cd check-cert`\n 1. (Optional) `git checkout vX.Y.Z`\n - where `vX.Y.Z` is a tag such as `v0.8.0`\n1. Install dependencies (optional)\n - for Ubuntu Linux\n - `sudo apt-get install make gcc`\n - for CentOS Linux\n - `sudo yum install make gcc`\n - for Windows\n - Emulated environments (*easier*)\n - Skip all of this and build using the default `go build` command in\n Windows (see below for use of the `-mod=vendor` flag)\n - build using Windows Subsystem for Linux Ubuntu environment and just\n copy out the Windows binaries from that environment\n - If already running a Docker environment, use a container with the Go\n tool-chain already installed\n - If already familiar with LXD, create a container and follow the\n installation steps given previously to install required dependencies\n - Native tooling (*harder*)\n - see the StackOverflow Question `32127524` link in the\n [References](references.md) section for potential options for\n installing `make` on Windows\n - see the mingw-w64 project homepage link in the\n [References](references.md) section for options for installing `gcc`\n and related packages on Windows\n1. Build binaries\n - for the detected current operating system and architecture, explicitly\n using bundled dependencies in top-level `vendor` folder\n - `go build -mod=vendor ./cmd/check_cert/`\n - `go build -mod=vendor ./cmd/lscert/`\n - `go build -mod=vendor ./cmd/cpcert/`\n - `go build -mod=vendor ./cmd/certsum/`\n - for all supported platforms (where `make` is installed)\n - `make all`\n - for use on Windows amd64\n - `make windows-x64-build`\n - for use on Linux amd64\n - `make linux-x64-build`\n - for use on Linux arm64\n - `make linux-arm64-build`\n - for use on macOS amd64\n - `make darwin-amd64-build`\n - for use on macOS arm64\n - `make darwin-arm64-build`\n1. Copy the newly compiled binary from the applicable `/tmp` subdirectory path\n (based on the clone instructions in this section) below and deploy where\n needed.\n - if using `Makefile`\n - look in `/tmp/check-cert/release_assets/check_cert/`\n - look in `/tmp/check-cert/release_assets/lscert/`\n - look in `/tmp/check-cert/release_assets/cpcert/`\n - look in `/tmp/check-cert/release_assets/certsum/`\n - if using `go build`\n - look in `/tmp/check-cert/`\n\n**NOTE**: Depending on which `Makefile` recipe you use the generated binary\nmay be compressed and have an `xz` extension. If so, you should decompress the\nbinary first before deploying it (e.g., `xz -d check_cert-linux-amd64.xz`).\n\n### Using release binaries\n\n1. Download the [latest\n release](https://github.com/atc0005/check-cert/releases/latest) binaries\n1. Decompress binaries\n - e.g., `xz -d check_cert-linux-amd64.xz`\n1. Rename binaries\n - e.g., `mv check_cert-linux-amd64 check_cert`\n1. Deploy\n - Place `check_cert` alongside your other Nagios plugins\n - e.g., `/usr/lib/nagios/plugins/` or `/usr/lib64/nagios/plugins/`\n - Place `lscert`,, `cpcert`, `certsum` in a location of your choice\n - e.g., `/usr/local/bin/`\n\n**NOTE**:\n\nAs of the v0.11.0 release, DEB and RPM packages are provided as an alternative\nto manually deploying binaries.\n\n## Configuration options\n\n### Expiration threshold calculations\n\nThis applies to all tools provided by this project.\n\nThe behavior of the `check_cert`plugin differs somewhat from `check_http`\n`v2.1.2`; this plugin triggers a whole day *later* than `check_http` does for\nthe same `WARNING` and `CRITICAL` threshold values.\n\nFor example, if we use the default values of 30 days for `WARNING` threshold\nand 15 days for the `CRITICAL` threshold:\n\n1. The thresholds are calculated\n - `WARNING`: Now (exact time in UTC) + 30 days\n - `CRITICAL`: Now (exact time in UTC) + 15 days\n1. The certificate expiration date is checked and the very first match (in\n order) determines the status of the service check\n 1. if the certificate expires *before* the current time, the status is\n `EXPIRED`\n 1. if the certificate expires *before* the CRITICAL threshold, the status\n is `CRITICAL`\n 1. if the certificate expires *before* the WARNING threshold, the status\n is `WARNING`\n 1. otherwise, the certificate is assumed to have a status of `OK`\n\nNo rounding is performed.\n\nSee GH-32 for additional info.\n\n### Asserting that expected Subject Alternate Names (SANs) are present\n\nAmong other validation checks, the `check_cert` plugin and `lscert` CLI tool\nboth support SANs list validation by accepting a CSV list of expected SANs\nentries and assert that:\n\n- all provided SANs entries are present on the leaf certificate\n- all SANs entries present on the leaf certificate are in the provided SANs\n entries list\n\nProblem scenarios covered:\n\n- the cert provider omitted a requested/expected SANs entry\n- the monitoring configuration has not been updated to look for new SANs\n entries present on the leaf cert\n\nAs a real-world use case, applying SANs list validation helped catch an\nunapproved DNS record (CNAME) change for a public service. The DNS record\nchange resulted in the service redirecting from the original (intended)\npre-production system to a development box used by a different team in another\nbusiness unit. While this would have likely been detected before the system\nwas deployed to production, it would have caused unnecessary confusion/delays\nwhile the issue was worked out. Instead, the monitoring system caught the\nissue and the service owner was able to reach out immediately and coordinate\nreverting the unauthorized change.\n\n### Skip hostname verification when leaf cert is missing SANs entries\n\nThis is specific to the `check_cert` plugin.\n\nOptional support is available to skip hostname verification if a certificate\nis missing SANs entries.\n\n- in version v0.5.3 and earlier, support was available for validating a given\n hostname against the Common Name field of a certificate, regardless of\n whether SANs entries were present\n - Go 1.15 marked this support as deprecated\n - Go 1.16 noted that it would be dropped in Go 1.17\n - Go 1.17 dropped this support\n- in version 0.6.0 and later, support is available (if specified) to skip\n hostname verification if a certificate is missing Subject Alternate Names\n (SANs) entries\n - this support is intended as a temporary workaround until the certificate\n expires and is replaced with a certificate containing a valid SANs list\n\nSee the flags table for the `check_cert` plugin for more information.\n\n### Applying or ignoring validation check results\n\n#### `check_cert` plugin\n\nAs of v0.8.0, all available validation checks are now performed regardless of\nwhat flags and flag values are specified.\n\nWhereas the previous behavior was to both apply a validation check *and*\nhard-code the behavior of applying the result against the final plugin state,\nsupport has been added to explicitly *apply* or *ignore* individual validation\ncheck results.\n\nThis support is provided via new flags and a set of keywords that may be\nspecified as a comma-separated value list.\n\nMost validation check results are applied by default, provided that required\nconfiguration settings are applied. Some are ignored by default.\n\n| Validation Check Result | Applied by default | Requirements |\n| ----------------------- | ------------------ | ------------------------- |\n| `Expiration` | Yes | Expiration thresholds |\n| `Hostname` | Yes | Server or DNS Name values |\n| `SANs list` | Yes`*` | SANs entries |\n\nThe certificate expiration validation check is applied using default\nthresholds if not specified by the sysadmin. The hostname verification check\nis applied using either the server (fallback) or DNS Name (preferred) value.\n\nThe SANs list validation check`*` is applied *if* SANs entries are provided.\nIf SANs entries are not specified, this validation check is performed, but\nnoted as ignored in the output (and not used when determining final plugin\nstate); without SANs entries to validate the SANs list validation check result\nis of limited value. If explicitly requested and SANs entries are not provided\na configuration error is emitted and the plugin terminates.\n\n#### `lscert` CLI tool\n\nAll validation checks are applied with output streamlined for quick pass/fail\nevaluation. While flags are not currently offered to explicitly *apply* or\n*ignore* validation check results this support may be added in the future if\nthere is sufficient interest.\n\n#### `cpcert` CLI tool\n\nNot applicable to this tool.\n\n#### `certsum` CLI tool\n\nNo changes to validation check results have been made as of the v0.8.0\nrelease. This tool continues to focus on identifying problem certificates by\nway of expiration date thresholds. Future versions may incorporate additional\nvalidation checks and any behavior changes at that time noted.\n\n### Command-line arguments\n\n- Use the `-h` or `--help` flag to display current usage information.\n- Flags marked as **`required`** must be set via CLI flag.\n- Flags *not* marked as required are for settings where a useful default is\n already defined, but may be overridden if desired.\n\n#### `check_cert`\n\n| Flag | Required | Default | Repeat | Possible | Description |\n| -------------------------------------------- | --------- | ------- | ------ | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `f`, `filename` | No | | No | *valid file name characters* | Fully-qualified path to a PEM (text) or binary DER formatted certificate file containing one or more certificates. |\n| `branding` | No | `false` | No | `branding` | Toggles emission of branding details with plugin status details. This output is disabled by default. |\n| `h`, `help` | No | `false` | No | `h`, `help` | Show Help text along with the list of supported flags. |\n| `v`, `verbose` | No | `false` | No | `v`, `verbose` | Toggles emission of detailed certificate metadata. This level of output is disabled by default. |\n| `payload` | No | `false` | No | `true`, `false` | Toggles emission of encoded certificate chain payload. This output is disabled by default. |\n| `payload-with-full-chain` | No | `false` | No | `true`, `false` | Toggles emission of encoded certificate chain payload with the full certificate chain included. This option is disabled by default due to the significant increase in payload size. |\n| `payload-format` | No | `1` | No | *positive whole number for valid payload format version* | Specifies the format version to use when generating the (optional) certificate metadata payload. Format version `0` is unstable and intended for development purposes only. |\n| `omit-sans-list`, `omit-sans-entries` | No | `false` | No | `true`, `false` | Toggles listing of SANs entries list items in certificate metadata output. This list is included by default. |\n| `version` | No | `false` | No | `version` | Whether to display application version and then immediately exit application. |\n| `c`, `age-critical` | No | 15 | No | *positive whole number of days* | The threshold for the certificate check's `CRITICAL` state. If the certificate expires before this number of days then the service check will be considered in a `CRITICAL` state. |\n| `w`, `age-warning` | No | 30 | No | *positive whole number of days* | The threshold for the certificate check's `WARNING` state. If the certificate expires before this number of days, but not before the `age-critical` value, then the service check will be considered in a `WARNING` state. |\n| `ll`, `log-level` | No | `info` | No | `disabled`, `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace` | Log message priority filter. Log messages with a lower level are ignored. |\n| `p`, `port` | No | `443` | No | *positive whole number between 1-65535, inclusive* | TCP port of the remote certificate-enabled service. This is usually 443 (HTTPS) or 636 (LDAPS). |\n| `t`, `timeout` | No | `10` | No | *positive whole number of seconds* | Timeout value in seconds allowed before a connection attempt to a remote certificate-enabled service (in order to retrieve the certificate) is abandoned and an error returned. |\n| `se`, `sans-entries` | No | | No | *comma-separated list of values* | One or many names required to be in the Subject Alternate Names (SANs) list for a leaf certificate. If provided, this list of comma-separated values is required for the certificate to pass validation. If the case-insensitive `SKIPSANSCHECKS` keyword is provided the results from this validation check will be flagged as ignored. |\n| `s`, `server` | **Maybe** | | No | *fully-qualified domain name or IP Address* | The fully-qualified domain name or IP Address used for certificate chain retrieval. This value should appear in the Subject Alternate Names (SANs) list for the leaf certificate unless also using the `dns-name` flag. |\n| `dn`, `dns-name` | **Maybe** | | No | *fully-qualified domain name or IP Address* | A fully-qualified domain name or IP Address in the Subject Alternate Names (SANs) list for the leaf certificate. If specified, this value will be used when retrieving the certificate chain (SNI support) and for hostname verification. Required when evaluating certificate files. See the `server` flag description for more information. |\n| `ignore-hostname-verification-if-empty-sans` | No | `false` | No | `true`, `false` | Whether a hostname verification failure should be ignored if Subject Alternate Names (SANs) list is empty. |\n| `ignore-expired-intermediate-certs` | No | `false` | No | `true`, `false` | Whether expired intermediate certificates should be ignored. |\n| `ignore-expired-root-certs` | No | `false` | No | `true`, `false` | Whether expired root certificates should be ignored. |\n| `ignore-expiring-intermediate-certs` | No | `false` | No | `true`, `false` | Whether expiring intermediate certificates should be ignored. |\n| `ignore-expiring-root-certs` | No | `false` | No | `true`, `false` | Whether expiring root certificates should be ignored. |\n| `ignore-validation-result` | No | | No | `sans`, `expiration`, `hostname` | List of keywords for certificate chain validation check result that should be explicitly ignored and not used to determine final validation state. |\n| `apply-validation-result` | No | | No | `sans`, `expiration`, `hostname` | List of keywords for certificate chain validation check results that should be explicitly applied and used to determine final validation state. |\n| `list-ignored-errors` | No | `false` | No | `true`, `false` | Toggles emission of ignored validation check result errors. Disabled by default to reduce confusion. |\n\n#### `lscert`\n\n##### Flags\n\n| Flag | Required | Default | Repeat | Possible | Description |\n| ------------------------------------- | --------- | ------- | ------ | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `f`, `filename` | No | | No | *valid file name characters* | Fully-qualified path to a PEM (text) or binary DER formatted certificate file containing one or more certificates. |\n| `text` | No | `false` | No | `true`, `false` | Toggles emission of x509 TLS certificates in an OpenSSL-inspired text format. This output is disabled by default. |\n| `h`, `help` | No | `false` | No | `h`, `help` | Show Help text along with the list of supported flags. |\n| `v`, `verbose` | No | `false` | No | `v`, `verbose` | Toggles emission of detailed certificate metadata. This level of output is disabled by default. |\n| `omit-sans-list`, `omit-sans-entries` | No | `false` | No | `true`, `false` | Toggles listing of SANs entries list items in certificate metadata output. This list is included by default. |\n| `version` | No | `false` | No | `version` | Whether to display application version and then immediately exit application. |\n| `c`, `age-critical` | No | 15 | No | *positive whole number of days* | The threshold for the certificate check's `CRITICAL` state. If the certificate expires before this number of days then the service check will be considered in a `CRITICAL` state. |\n| `w`, `age-warning` | No | 30 | No | *positive whole number of days* | The threshold for the certificate check's `WARNING` state. If the certificate expires before this number of days, but not before the `age-critical` value, then the service check will be considered in a `WARNING` state. |\n| `ll`, `log-level` | No | `info` | No | `disabled`, `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace` | Log message priority filter. Log messages with a lower level are ignored. |\n| `p`, `port` | No | `443` | No | *positive whole number between 1-65535, inclusive* | TCP port of the remote certificate-enabled service. This is usually 443 (HTTPS) or 636 (LDAPS). |\n| `t`, `timeout` | No | `10` | No | *positive whole number of seconds* | Timeout value in seconds allowed before a connection attempt to a remote certificate-enabled service (in order to retrieve the certificate) is abandoned and an error returned. |\n| `se`, `sans-entries` | No | | No | *comma-separated list of values* | One or many names required to be in the Subject Alternate Names (SANs) list for a leaf certificate. If provided, this list of comma-separated values is required for the certificate to pass validation. If the case-insensitive `SKIPSANSCHECKS` keyword is provided the results from this validation check will be flagged as ignored. |\n| `s`, `server` | **Maybe** | | No | *fully-qualified domain name or IP Address* | The fully-qualified domain name or IP Address used for certificate chain retrieval. This value should appear in the Subject Alternate Names (SANs) list for the leaf certificate unless also using the `dns-name` flag. |\n| `dn`, `dns-name` | **Maybe** | | No | *fully-qualified domain name or IP Address* | A fully-qualified domain name or IP Address in the Subject Alternate Names (SANs) list for the leaf certificate. If specified, this value will be used when retrieving the certificate chain (SNI support) and for hostname verification. Required when evaluating certificate files. See the `server` flag description for more information. |\n\n##### Positional Argument\n\nAs of the v0.9.0 release the `lscert` tool accepts a URL pattern as a single\npositional argument. This positional argument value can be any of:\n\n- URL\n- resolvable name\n- IP Address\n\n---\n\n**NOTE**: Due to limitations in the Go standard library's support for\ncommand-line argument handling all flags must come before positional arguments\non the command line.\n\n---\n\nValid syntax:\n\n- `lscert -flag1 value1 INPUT_PATTERN`\n\nInvalid syntax:\n\n- `lscert INPUT_PATTERN -flag1 value1`\n\nSome valid examples:\n\n- `lscert google.com`\n- `lscert https://www.google.com`\n- `lscert https://www.google.com:443`\n- `lscert --log-level debug google.com`\n- `lscert --dns-name one.one.one.one 1.1.1.1`\n\nAside from the required order of flags and positional argument noted above,\nthere are additional requirements to be aware of:\n\n- if the `server` or `filename` flags are specified, the positional argument\n is ignored\n- if the `port` flag is specified, its value will be ignored if a port is\n provided in the given URL pattern positional argument\n\n#### `cpcert`\n\n##### Flags\n\n| Flag | Required | Default | Repeat | Possible | Description |\n| ----------------------- | --------- | ------- | ------ | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `if`, `input-filename` | No | | No | *valid file name characters* | Fully-qualified path to a PEM (text) or binary DER formatted certificate file containing one or more certificates. |\n| `of`, `output-filename` | Yes | | No | *valid file name characters* | Fully-qualified path to an output file to write one or more PEM (text) encoded certificates. |\n| `h`, `help` | No | `false` | No | `h`, `help` | Show Help text along with the list of supported flags. |\n| `v`, `verbose` | No | `false` | No | `v`, `verbose` | Toggles emission of detailed certificate metadata. This level of output is disabled by default. |\n| `version` | No | `false` | No | `version` | Whether to display application version and then immediately exit application. |\n| `ll`, `log-level` | No | `info` | No | `disabled`, `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace` | Log message priority filter. Log messages with a lower level are ignored. |\n| `p`, `port` | No | `443` | No | *positive whole number between 1-65535, inclusive* | TCP port of the remote certificate-enabled service. This is usually 443 (HTTPS) or 636 (LDAPS). |\n| `t`, `timeout` | No | `10` | No | *positive whole number of seconds* | Timeout value in seconds allowed before a connection attempt to a remote certificate-enabled service (in order to retrieve the certificate) is abandoned and an error returned. |\n| `s`, `server` | **Maybe** | | No | *fully-qualified domain name or IP Address* | The fully-qualified domain name or IP Address used for certificate chain retrieval. This value should appear in the Subject Alternate Names (SANs) list for the leaf certificate unless also using the `dns-name` flag. |\n| `dn`, `dns-name` | **Maybe** | | No | *fully-qualified domain name or IP Address* | A fully-qualified domain name or IP Address in the Subject Alternate Names (SANs) list for the leaf certificate. If specified, this value will be used when retrieving the certificate chain (SNI support) and for hostname verification. Required when evaluating certificate files. See the `server` flag description for more information. |\n| `keep` | No | `all` | No | `all`, `leaf`, `intermediate`, `root` | List of keywords for certificate types that should be kept from the input certificate chain when saving the output file. |\n\n##### Positional Arguments\n\nIn addition to input and output filename flags, the `cpcert` tool accepts two\npositional arguments:\n\n1. URL pattern or input filename\n1. output filename\n\n\"URL patterns\" can be any of:\n\n- URL\n- resolvable name\n- IP Address\n\n---\n\n**NOTE**: Due to limitations in the Go standard library's support for\ncommand-line argument handling all flags must come before positional arguments\non the command line.\n\n---\n\nValid syntax:\n\n- `cpcert -flag1 value1 INPUT_PATTERN OUTPUT_FILE`\n\nInvalid syntax:\n\n- `cpcert INPUT_PATTERN OUTPUT_FILE -flag1 value1`\n\nSome valid examples:\n\n- `cpcert google.com google_cert_chain.pem`\n- `cpcert https://www.google.com google_cert_chain.pem`\n- `cpcert https://www.google.com:443 google_cert_chain.pem`\n- `cpcert --log-level debug google.com google_cert_chain.pem`\n- `cpcert --dns-name one.one.one.one 1.1.1.1 cf_dns_1111_cert_chain.pem`\n- `cpcert --keep leaf cf_dns_1111_cert_chain.pem cf_dns_1111_leaf_cert_only.pem`\n\nAside from the required order of flags and positional argument noted above,\nthere are additional requirements to be aware of:\n\n- specifying the `server`, `input-filename` or `output-filename` flags\n alongside positional arguments is unsupported\n- if the `port` flag is specified, its value will be ignored if a port is\n provided in the given URL pattern positional argument\n\n#### `certsum`\n\nThis tool is in early development. Options for this tool are subject to\nchange, perhaps even significantly, in future releases.\n\n| Flag | Required | Default | Repeat | Possible | Description |\n| -------------------------------------- | -------- | ------- | ------ | --------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| `h`, `help` | No | `false` | No | `h`, `help` | Show Help text along with the list of supported flags. |\n| `version` | No | `false` | No | `version` | Whether to display application version and then immediately exit application. |\n| `c`, `age-critical` | No | 15 | No | *positive whole number of days* | The threshold for the certificate check's `CRITICAL` state. If the certificate expires before this number of days then the service check will be considered in a `CRITICAL` state. |\n| `w`, `age-warning` | No | 30 | No | *positive whole number of days* | The threshold for the certificate check's `WARNING` state. If the certificate expires before this number of days, but not before the `age-critical` value, then the service check will be considered in a `WARNING` state. |\n| `ll`, `log-level` | No | `info` | No | `disabled`, `panic`, `fatal`, `error`, `warn`, `info`, `debug`, `trace` | Log message priority filter. Log messages with a lower level are ignored. |\n| `t`, `timeout` | No | `10` | No | *positive whole number of seconds* | Timeout value in seconds allowed before a connection attempt to a remote certificate-enabled service (in order to retrieve the certificate) is abandoned and an error returned. |\n| `se`, `sans-entries` | No | | No | *comma-separated list of values* | One or many Subject Alternate Names (SANs) expected for the certificate used by the remote service. If provided, this list of comma-separated (optional) values is required for the certificate to pass validation. If the case-insensitive SKIPSANSCHECKS keyword is provided this validation will be skipped, effectively turning the use of this flag into a NOOP. |\n| `st`, `scan-timeout` | No | 200 | No | *positive whole number of milliseconds, minimum 1* | The number of milliseconds before a connection attempt during a port scan is abandoned and an error returned. This timeout value is separate from the general `timeout` value used when retrieving certificates. This setting is used specifically to quickly determine port state as part of bulk operations where speed is crucial. |\n| `at`, `app-timeout` | No | 30 | No | *positive whole number of seconds, minimum 2* | The number of seconds the application is allowed to remain inactive (i.e., \"hung\") before it is automatically terminated. |\n| `srl`, `scan-rate-limit` | No | 100 | No | *positive whole number* | Maximum concurrent port and certificate scans. Remaining scans are queued until an existing scan completes. |\n| `ips`, `hosts` | No | | No | *one or more valid, comma-separated IP Addresses (single or range), hostnames or FQDNs* | List of comma-separated individual IP Addresses, CIDR IP ranges, partial (dash-separated) ranges (e.g., 192.168.2.10-15), hostnames or FQDNs to scan for certificates. |\n| `p`, `ports` | No | 443 | No | *one or more valid, comma-separated TCP ports* | List of comma-separated TCP ports to check for certificates. If not specified, the list defaults to 443 only. |\n| `spsr`, `show-port-scan-results` | No | `false` | No | `true`, `false` | Toggles listing host port scan results. |\n| `scp`, `show-closed-ports` | No | `false` | No | `true`, `false` | Toggles listing all host port scan results, even for hosts without any specified ports in an open state. |\n| `shwvc`, `show-hosts-with-valid-certs` | No | `false` | No | `true`, `false` | Toggles listing all cert check results in overview output, even for hosts with valid certificates. |\n| `svc`, `show-valid-certs` | No | `false` | No | `true`, `false` | Toggles listing all certificates in output summary, even certificates which have passed all validity checks. |\n| `so`, `show-overview` | No | `false` | No | `true`, `false` | Toggles summary output view from detailed to overview. |\n\n### Configuration file\n\nNot currently supported. This feature may be added later if there is\nsufficient interest.\n\n## Examples\n\n### `check_cert` Nagios plugin\n\n#### OK results\n\nThis example shows using the Nagios plugin to manually check a remote\ncertificate-enabled port on `www.google.com`. We override the default\n`WARNING` and `CRITICAL` age threshold values with somewhat arbitrary numbers.\n\nNOTE: Use the `--verbose` flag to expose further details.\n\n```ShellSession\n$ check_cert --server www.google.com --port 443 --age-critical 30 --age-warning 50\nOK: Expiration validation successful: leaf cert \"www.google.com\" expires next with 65d 23h remaining (until 2022-08-29 09:39:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 0 FAILED, 2 SUCCESSFUL (Hostname, Expiration)]\n\n3 certs retrieved for service running on www.google.com (64.233.185.105) at port 443 using host value \"www.google.com\"\n\n\nPROBLEM RESULTS:\n\n* None\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 1 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Expiration validation successful: leaf cert \"www.google.com\" expires next with 65d 23h remaining (until 2022-08-29 09:39:59 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=www.google.com\n SANs entries: [www.google.com]\n Issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n Serial: 9F:07:4B:11:74:5F:16:FC:12:23:75:FA:58:79:93:F0\n Issued On: 2022-06-06 09:40:00 +0000 UTC\n Expiration: 2022-08-29 09:39:59 +0000 UTC\n Status: [OK] 65d 23h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n Serial: 02:03:BC:53:59:6B:34:C7:18:F5:01:50:66\n Issued On: 2020-08-13 00:00:42 +0000 UTC\n Expiration: 2027-09-30 00:00:42 +0000 UTC\n Status: [OK] 1923d 13h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE\n Serial: 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D\n Issued On: 2020-06-19 00:00:42 +0000 UTC\n Expiration: 2028-01-28 00:00:42 +0000 UTC\n Status: [OK] 2043d 13h remaining\n\n[OK] Hostname validation using value \"www.google.com\" successful for leaf certificate\n\n | 'time'=305ms;;;;\n```\n\nSee the `WARNING` example output for additional details.\n\n#### WARNING results\n\nHere we do the same thing again, but using the expiration date values returned\nearlier as a starting point, we intentionally move the threshold values in\norder to trigger a `WARNING` state for the leaf certificate.\n\nNOTE: Use the `--verbose` flag to expose further details.\n\n```ShellSession\n$ check_cert --server www.google.com --port 443 --age-critical 30 --age-warning 70\n5:32AM ERR cmd/check_cert/main.go:413 \u003e validation checks failed for certificate chain error=\"summary: 1 of 3 validation checks failed\" age_critical=30 age_warning=70 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=false cert_check_timeout=10s checks_failed=1 checks_ignored=1 checks_successful=1 checks_total=3 expected_sans_entries= filename= logging_level=info port=443 server=www.google.com version=\"check-cert x.y.z (https://github.com/atc0005/check-cert)\"\nWARNING: Expiration validation failed: leaf cert \"www.google.com\" expires next with 65d 23h remaining (until 2022-08-29 09:39:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 1 FAILED (Expiration), 1 SUCCESSFUL (Hostname)]\n\n**VALIDATION ERRORS**\n\n* expiration validation failed: expiring certificates found\n\n**VALIDATION CHECKS REPORT**\n\n3 certs retrieved for service running on www.google.com (64.233.185.105) at port 443 using host value \"www.google.com\"\n\n\nPROBLEM RESULTS:\n\n[!!] Expiration validation failed: leaf cert \"www.google.com\" expires next with 65d 23h remaining (until 2022-08-29 09:39:59 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=www.google.com\n SANs entries: [www.google.com]\n Issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n Serial: 9F:07:4B:11:74:5F:16:FC:12:23:75:FA:58:79:93:F0\n Issued On: 2022-06-06 09:40:00 +0000 UTC\n Expiration: 2022-08-29 09:39:59 +0000 UTC\n Status: [WARNING] 65d 23h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n Serial: 02:03:BC:53:59:6B:34:C7:18:F5:01:50:66\n Issued On: 2020-08-13 00:00:42 +0000 UTC\n Expiration: 2027-09-30 00:00:42 +0000 UTC\n Status: [OK] 1923d 13h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE\n Serial: 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D\n Issued On: 2020-06-19 00:00:42 +0000 UTC\n Expiration: 2028-01-28 00:00:42 +0000 UTC\n Status: [OK] 2043d 13h remaining\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 1 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Hostname validation using value \"www.google.com\" successful for leaf certificate\n\n | 'time'=144ms;;;;\n```\n\nSome items to note (in order of appearance):\n\n1. `logfmt` output providing human-readable, structured logging information\n - this is sent to `stderr`\n - Nagios ignores `stderr` output from plugins; `stdout` is for Nagios,\n `stderr` is for humans\n1. The one-line status output on the second line\n - this is used by Nagios for display in an overview view for all service\n checkout for a host\n - this is used by Nagios for text, email and whatever else notifications\n (if configured)\n1. The `VALIDATION ERRORS` section notes briefly what is wrong with the cert\n1. The `VALIDATION CHECKS REPORT` section provides an overview of the specific\n validation checks performed along with a summary of the certificate chain\n evaluated\n - this is used by Nagios for display on the detailed service check-specific\n page (e.g., shows last check time, frequency, current state, etc)\n - as for the one-line output, this is used by Nagios for text, email and\n whatever other notifications may be configured\n1. The `Status` field for the leaf certificate changed from `OK` to `WARNING`\n and this plugin set the appropriate exit code to let Nagios know of the\n state change.\n\n#### CRITICAL results\n\n##### Expiring certificate\n\nAs with the `WARNING` example, we use the expiration date values returned from\nthe initial check as a starting point and intentionally move the threshold\nvalues in order to trigger a `CRITICAL` state for the leaf certificate.\n\nNOTE: Use the `--verbose` flag to expose further details.\n\n```ShellSession\n$ check_cert --server www.google.com --port 443 --age-critical 70 --age-warning 90\n5:36AM ERR cmd/check_cert/main.go:413 \u003e validation checks failed for certificate chain error=\"summary: 1 of 3 validation checks failed\" age_critical=70 age_warning=90 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=false cert_check_timeout=10s checks_failed=1 checks_ignored=1 checks_successful=1 checks_total=3 expected_sans_entries= filename= logging_level=info port=443 server=www.google.com version=\"check-cert x.y.z (https://github.com/atc0005/check-cert)\"\nCRITICAL: Expiration validation failed: leaf cert \"www.google.com\" expires next with 65d 23h remaining (until 2022-08-29 09:39:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 1 FAILED (Expiration), 1 SUCCESSFUL (Hostname)]\n\n**VALIDATION ERRORS**\n\n* expiration validation failed: expiring certificates found\n\n**VALIDATION CHECKS REPORT**\n\n3 certs retrieved for service running on www.google.com (64.233.185.105) at port 443 using host value \"www.google.com\"\n\n\nPROBLEM RESULTS:\n\n[!!] Expiration validation failed: leaf cert \"www.google.com\" expires next with 65d 23h remaining (until 2022-08-29 09:39:59 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=www.google.com\n SANs entries: [www.google.com]\n Issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n Serial: 9F:07:4B:11:74:5F:16:FC:12:23:75:FA:58:79:93:F0\n Issued On: 2022-06-06 09:40:00 +0000 UTC\n Expiration: 2022-08-29 09:39:59 +0000 UTC\n Status: [CRITICAL] 65d 23h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n Serial: 02:03:BC:53:59:6B:34:C7:18:F5:01:50:66\n Issued On: 2020-08-13 00:00:42 +0000 UTC\n Expiration: 2027-09-30 00:00:42 +0000 UTC\n Status: [OK] 1923d 13h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE\n Serial: 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D\n Issued On: 2020-06-19 00:00:42 +0000 UTC\n Expiration: 2028-01-28 00:00:42 +0000 UTC\n Status: [OK] 2043d 13h remaining\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 1 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Hostname validation using value \"www.google.com\" successful for leaf certificate\n\n | 'time'=303ms;;;;\n```\n\n##### Expired certificate\n\nHere we use the expired.badssl.com subdomain to demo the results of\nencountering one or more (in this case more) expired certificates in a chain.\nAside from the FQDN, all default options (including the port) are used.\n\nNOTE: Use the `--verbose` flag to expose further details.\n\n```ShellSession\n$ check_cert --server expired.badssl.com\n5:36AM ERR cmd/check_cert/main.go:413 \u003e validation checks failed for certificate chain error=\"summary: 1 of 3 validation checks failed\" age_critical=15 age_warning=30 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=false cert_check_timeout=10s checks_failed=1 checks_ignored=1 checks_successful=1 checks_total=3 expected_sans_entries= filename= logging_level=info port=443 server=expired.badssl.com version=\"check-cert x.y.z (https://github.com/atc0005/check-cert)\"\nCRITICAL: Expiration validation failed: leaf cert \"*.badssl.com\" expired 2629d 10h ago (on 2015-04-12 23:59:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 1 FAILED (Expiration), 1 SUCCESSFUL (Hostname)]\n\n**VALIDATION ERRORS**\n\n* expiration validation failed: expired certificates found\n\n**VALIDATION CHECKS REPORT**\n\n3 certs retrieved for service running on expired.badssl.com (104.154.89.105) at port 443 using host value \"expired.badssl.com\"\n\n\nPROBLEM RESULTS:\n\n[!!] Expiration validation failed: leaf cert \"*.badssl.com\" expired 2629d 10h ago (on 2015-04-12 23:59:59 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=*.badssl.com,OU=Domain Control Validated+OU=PositiveSSL Wildcard\n SANs entries: [*.badssl.com badssl.com]\n Issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB\n Serial: 4A:E7:95:49:FA:9A:BE:3F:10:0F:17:A4:78:E1:69:09\n Issued On: 2015-04-09 00:00:00 +0000 UTC\n Expiration: 2015-04-12 23:59:59 +0000 UTC\n Status: [EXPIRED] 2629d 10h ago\n\nCertificate 2 of 3 (intermediate):\n Name: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB\n SANs entries: []\n Issuer: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB\n Serial: 2B:2E:6E:EA:D9:75:36:6C:14:8A:6E:DB:A3:7C:8C:07\n Issued On: 2014-02-12 00:00:00 +0000 UTC\n Expiration: 2029-02-11 23:59:59 +0000 UTC\n Status: [OK] 2424d 13h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB\n SANs entries: []\n Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE\n Serial: 27:66:EE:56:EB:49:F3:8E:AB:D7:70:A2:FC:84:DE:22\n Issued On: 2000-05-30 10:48:38 +0000 UTC\n Expiration: 2020-05-30 10:48:38 +0000 UTC\n Status: [EXPIRED] 754d 23h ago\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 2 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Hostname validation using value \"expired.badssl.com\" successful for leaf certificate\n\n | 'time'=391ms;;;;\n```\n\n#### Explicitly applying validation check results\n\n##### `expiration`\n\nHere we use the `--apply-validation-result` flag with the `expiration` keyword\nin order to *explicitly* apply expiration date validation results when\ndetermining the final plugin state.\n\nThis doesn't have much of a direct effect because this validation check result\nis applied by default, but it may be useful as a means of documenting a\nspecific service check command definition's intent.\n\n```console\n$ check_cert --server www.google.com --port 443 --age-critical 30 --age-warning 50 --apply-validation-result expiration\nOK: Expiration validation successful: leaf cert \"www.google.com\" expires next with 63d 20h remaining (until 2022-08-29 09:39:59 +0000 UTC) [checks: 1 IGNORED (SANs List), 0 FAILED, 2 SUCCESSFUL (Hostname, Expiration)]\n\n3 certs retrieved for service running on www.google.com (142.251.15.99) at port 443 using host value \"www.google.com\"\n\n\nPROBLEM RESULTS:\n\n* None\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 1 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Expiration validation successful: leaf cert \"www.google.com\" expires next with 63d 20h remaining (until 2022-08-29 09:39:59 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=www.google.com\n SANs entries: [www.google.com]\n Issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n Serial: 9F:07:4B:11:74:5F:16:FC:12:23:75:FA:58:79:93:F0\n Issued On: 2022-06-06 09:40:00 +0000 UTC\n Expiration: 2022-08-29 09:39:59 +0000 UTC\n Status: [OK] 63d 20h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n Serial: 02:03:BC:53:59:6B:34:C7:18:F5:01:50:66\n Issued On: 2020-08-13 00:00:42 +0000 UTC\n Expiration: 2027-09-30 00:00:42 +0000 UTC\n Status: [OK] 1921d 10h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=GTS Root R1,O=Google Trust Services LLC,C=US\n SANs entries: []\n Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE\n Serial: 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D\n Issued On: 2020-06-19 00:00:42 +0000 UTC\n Expiration: 2028-01-28 00:00:42 +0000 UTC\n Status: [OK] 2041d 10h remaining\n\n[OK] Hostname validation using value \"www.google.com\" successful for leaf certificate\n\n | 'time'=141ms;;;;\n```\n\n##### `hostname`\n\nHere we use the `--apply-validation-result` flag with the `hostname` keyword\nin order to *explicitly* apply hostname verification/validation results when\ndetermining the final plugin state.\n\nThis doesn't have much of a direct effect because this validation check result\nis applied by default, but it may be useful as a means of documenting a\nspecific service check command definition's intent.\n\n```console\n$ check_cert --server wrong.host.badssl.com --port 443 --apply-validation-result hostname\n8:47AM ERR cmd/check_cert/main.go:413 \u003e validation checks failed for certificate chain error=\"summary: 1 of 3 validation checks failed\" age_critical=15 age_warning=30 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=false cert_check_timeout=10s checks_failed=1 checks_ignored=1 checks_successful=1 checks_total=3 expected_sans_entries= filename= logging_level=info port=443 server=wrong.host.badssl.com version=\"check-cert x.y.z (https://github.com/atc0005/check-cert)\"\nCRITICAL: Hostname validation using value \"wrong.host.badssl.com\" failed for leaf certificate [checks: 1 IGNORED (SANs List), 1 FAILED (Hostname), 1 SUCCESSFUL (Expiration)]\n\n**VALIDATION ERRORS**\n\n* hostname verification failed: x509: certificate is valid for *.badssl.com, badssl.com, not wrong.host.badssl.com\n\n**VALIDATION CHECKS REPORT**\n\n3 certs retrieved for service running on wrong.host.badssl.com (104.154.89.105) at port 443 using host value \"wrong.host.badssl.com\"\n\n\nPROBLEM RESULTS:\n\n[!!] Hostname validation using value \"wrong.host.badssl.com\" failed for leaf certificate\n\nConsider updating the service check or command definition to specify the website FQDN instead of the host FQDN using the DNS Name or server flags. E.g., use 'www.example.org' instead of 'host7.example.com' in order to allow the remote server to select the correct certificate instead of using the default certificate.\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 2 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Expiration validation successful: leaf cert \"*.badssl.com\" expires next with 50d 0h remaining (until 2022-08-15 14:07:55 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=*.badssl.com\n SANs entries: [*.badssl.com badssl.com]\n Issuer: CN=R3,O=Let's Encrypt,C=US\n Serial: 04:B7:56:01:59:46:10:A8:D8:36:17:C8:06:C2:F9:8D:2A:46\n Issued On: 2022-05-17 14:07:56 +0000 UTC\n Expiration: 2022-08-15 14:07:55 +0000 UTC\n Status: [OK] 50d 0h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=R3,O=Let's Encrypt,C=US\n SANs entries: []\n Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n Serial: 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A\n Issued On: 2020-09-04 00:00:00 +0000 UTC\n Expiration: 2025-09-15 16:00:00 +0000 UTC\n Status: [OK] 1177d 2h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n SANs entries: []\n Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.\n Serial: 40:01:77:21:37:D4:E9:42:B8:EE:76:AA:3C:64:0A:B7\n Issued On: 2021-01-20 19:14:03 +0000 UTC\n Expiration: 2024-09-30 18:14:03 +0000 UTC\n Status: [OK] 827d 4h remaining\n\n | 'time'=541ms;;;;\n```\n\nIf you wish to connect using a server's FQDN value that isn't associated with\nthe certificate (e.g., testing a backend system with a unique FQDN), but wish\nto use a specific DNS Name (aka, virtual host name) you can use the `dns-name`\nflag to specify a valid hostname value for the leaf certificate.\n\n```console\n$ check_cert --server wrong.host.badssl.com --dns-name badssl.com --port 443\nOK: Expiration validation successful: leaf cert \"*.badssl.com\" expires next with 50d 0h remaining (until 2022-08-15 14:07:55 +0000 UTC) [checks: 1 IGNORED (SANs List), 0 FAILED, 2 SUCCESSFUL (Hostname, Expiration)]\n\n3 certs retrieved for service running on wrong.host.badssl.com (104.154.89.105) at port 443 using host value \"badssl.com\"\n\n\nPROBLEM RESULTS:\n\n* None\n\n\nIGNORED RESULTS:\n\n[--] SANs List validation ignored: 0 SANs entries specified, 2 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n\nSUCCESS RESULTS:\n\n[OK] Expiration validation successful: leaf cert \"*.badssl.com\" expires next with 50d 0h remaining (until 2022-08-15 14:07:55 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=*.badssl.com\n SANs entries: [*.badssl.com badssl.com]\n Issuer: CN=R3,O=Let's Encrypt,C=US\n Serial: 04:B7:56:01:59:46:10:A8:D8:36:17:C8:06:C2:F9:8D:2A:46\n Issued On: 2022-05-17 14:07:56 +0000 UTC\n Expiration: 2022-08-15 14:07:55 +0000 UTC\n Status: [OK] 50d 0h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=R3,O=Let's Encrypt,C=US\n SANs entries: []\n Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n Serial: 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A\n Issued On: 2020-09-04 00:00:00 +0000 UTC\n Expiration: 2025-09-15 16:00:00 +0000 UTC\n Status: [OK] 1177d 2h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n SANs entries: []\n Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.\n Serial: 40:01:77:21:37:D4:E9:42:B8:EE:76:AA:3C:64:0A:B7\n Issued On: 2021-01-20 19:14:03 +0000 UTC\n Expiration: 2024-09-30 18:14:03 +0000 UTC\n Status: [OK] 827d 4h remaining\n\n[OK] Hostname validation using value \"badssl.com\" successful for leaf certificate\n```\n\n##### `sans`\n\nHere we use the `--apply-validation-result` flag with the `sans` keyword\nin order to *explicitly* apply hostname verification/validation results when\ndetermining the final plugin state.\n\nIf you do not specify a list of SANs entries to validate, configuration\nvalidation will cause the plugin to abort:\n\n```console\n$ check_cert --server wrong.host.badssl.com --dns-name badssl.com --port 443 --apply-validation-result sans\n8:53AM ERR cmd/check_cert/main.go:59 \u003e Error initializing application error=\"configuration validation failed: unsupported setting for certificate SANs list validation; providing SANs entries via the \\\"sans-entries\\\" flag is required when specifying the \\\"sans\\\" keyword via the \\\"apply-validation-result\\\" flag\"\nCRITICAL: Error initializing application\n\n**VALIDATION ERRORS**\n\n* configuration validation failed: unsupported setting for certificate SANs list validation; providing SANs entries via the \"sans-entries\" flag is required when specifying the \"sans\" keyword via the \"apply-validation-result\" flag\n```\n\nIf providing a list of SANs entries to validate, this doesn't have much of a\ndirect effect because this validation check result is applied by default, but\nit may be useful as a means of documenting a specific service check command\ndefinition's intent.\n\n```console\n$ check_cert --server wrong.host.badssl.com --dns-name badssl.com --port 443 --apply-validation-result sans --sans-entries \"*.badssl.com, badssl.com\"\nOK: Expiration validation successful: leaf cert \"*.badssl.com\" expires next with 50d 0h remaining (until 2022-08-15 14:07:55 +0000 UTC) [checks: 0 IGNORED, 0 FAILED, 3 SUCCESSFUL (Expiration, Hostname, SANs List)]\n\n3 certs retrieved for service running on wrong.host.badssl.com (104.154.89.105) at port 443 using host value \"badssl.com\"\n\n\nPROBLEM RESULTS:\n\n* None\n\n\nIGNORED RESULTS:\n\n* None\n\n\nSUCCESS RESULTS:\n\n[OK] Expiration validation successful: leaf cert \"*.badssl.com\" expires next with 50d 0h remaining (until 2022-08-15 14:07:55 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=*.badssl.com\n SANs entries: [*.badssl.com badssl.com]\n Issuer: CN=R3,O=Let's Encrypt,C=US\n Serial: 04:B7:56:01:59:46:10:A8:D8:36:17:C8:06:C2:F9:8D:2A:46\n Issued On: 2022-05-17 14:07:56 +0000 UTC\n Expiration: 2022-08-15 14:07:55 +0000 UTC\n Status: [OK] 50d 0h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=R3,O=Let's Encrypt,C=US\n SANs entries: []\n Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n Serial: 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A\n Issued On: 2020-09-04 00:00:00 +0000 UTC\n Expiration: 2025-09-15 16:00:00 +0000 UTC\n Status: [OK] 1177d 2h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n SANs entries: []\n Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.\n Serial: 40:01:77:21:37:D4:E9:42:B8:EE:76:AA:3C:64:0A:B7\n Issued On: 2021-01-20 19:14:03 +0000 UTC\n Expiration: 2024-09-30 18:14:03 +0000 UTC\n Status: [OK] 827d 4h remaining\n\n[OK] Hostname validation using value \"badssl.com\" successful for leaf certificate\n\n[OK] SANs List validation successful: expected and confirmed (2) SANs entries present for leaf certificate [2 EXPECTED, 0 MISSING, 0 UNEXPECTED]\n\n | 'time'=384ms;;;;\n```\n\nIf for example you fail to provide a SANs entry, the plugin will flag this as\na problem and reflect this in the final plugin state:\n\n```console\n$ check_cert --server wrong.host.badssl.com --dns-name badssl.com --port 443 --apply-validation-result sans --sans-entries \"badssl.com\"\n8:56AM ERR cmd/check_cert/main.go:413 \u003e validation checks failed for certificate chain error=\"summary: 1 of 3 validation checks failed\" age_critical=15 age_warning=30 app_type=plugin apply_expiration_validation_results=true apply_hostname_validation_results=true apply_sans_list_validation_results=true cert_check_timeout=10s checks_failed=1 checks_ignored=0 checks_successful=2 checks_total=3 expected_sans_entries=badssl.com filename= logging_level=info port=443 server=wrong.host.badssl.com version=\"check-cert x.y.z (https://github.com/atc0005/check-cert)\"\nCRITICAL: SANs List validation failed: \"leaf\" certificate has unexpected SANs entries [checks: 0 IGNORED, 1 FAILED (SANs List), 2 SUCCESSFUL (Hostname, Expiration)]\n\n**VALIDATION ERRORS**\n\n* certificate has unexpected SANs entries\n\n**VALIDATION CHECKS REPORT**\n\n3 certs retrieved for service running on wrong.host.badssl.com (104.154.89.105) at port 443 using host value \"badssl.com\"\n\n\nPROBLEM RESULTS:\n\n[!!] SANs List validation failed: \"leaf\" certificate has unexpected SANs entries [1 EXPECTED, 0 MISSING, 1 UNEXPECTED]; missing: [N/A], unexpected: [*.badssl.com]\n\n\nIGNORED RESULTS:\n\n* None\n\n\nSUCCESS RESULTS:\n\n[OK] Expiration validation successful: leaf cert \"*.badssl.com\" expires next with 50d 0h remaining (until 2022-08-15 14:07:55 +0000 UTC)\n\nCertificate 1 of 3 (leaf):\n Name: CN=*.badssl.com\n SANs entries: [*.badssl.com badssl.com]\n Issuer: CN=R3,O=Let's Encrypt,C=US\n Serial: 04:B7:56:01:59:46:10:A8:D8:36:17:C8:06:C2:F9:8D:2A:46\n Issued On: 2022-05-17 14:07:56 +0000 UTC\n Expiration: 2022-08-15 14:07:55 +0000 UTC\n Status: [OK] 50d 0h remaining\n\nCertificate 2 of 3 (intermediate):\n Name: CN=R3,O=Let's Encrypt,C=US\n SANs entries: []\n Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n Serial: 91:2B:08:4A:CF:0C:18:A7:53:F6:D6:2E:25:A7:5F:5A\n Issued On: 2020-09-04 00:00:00 +0000 UTC\n Expiration: 2025-09-15 16:00:00 +0000 UTC\n Status: [OK] 1177d 2h remaining\n\nCertificate 3 of 3 (intermediate):\n Name: CN=ISRG Root X1,O=Internet Security Research Group,C=US\n SANs entries: []\n Issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.\n Serial: 40:01:77:21:37:D4:E9:42:B8:EE:76:AA:3C:64:0A:B7\n Issued On: 2021-01-20 19:14:03 +0000 UTC\n Expiration: 2024-09-30 18:14:03 +0000 UTC\n Status: [OK] 827d 4h remaining\n\n[OK] Hostname validation using value \"badssl.com\" successful for leaf certificate\n```\n\n#### Explicitly ignoring validation check results\n\n##### `expiration`\n\nHere we use the `--ignore-validation-result` flag with the `expiration`\nkeyword in order to *explicitly* ignore expiration date validation results\nwhen determining the final plugin state.\n\nThis could be useful for setting up a service check that focuses exclusively\non another validation criteria such as hostname or SANs list entries; instead\nof having a comprehensive \"check everything\" certificate check, this could\nallow a sysadmin to check criteria separately.\n\n```console\n$ check_cert --server expired.badssl.com --port 443 --ignore-validation-result expiration\nOK: Hostname validation using value \"expired.badssl.com\" successful for leaf certificate [checks: 2 IGNORED (SANs List, Expiration), 0 FAILED, 1 SUCCESSFUL (Hostname)]\n\n3 certs retrieve","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatc0005%2Fcheck-cert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fatc0005%2Fcheck-cert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fatc0005%2Fcheck-cert/lists"}