{"id":13815669,"url":"https://github.com/matteocorti/check_ssl_cert","last_synced_at":"2026-05-01T13:02:27.731Z","repository":{"id":1994937,"uuid":"44599737","full_name":"matteocorti/check_ssl_cert","owner":"matteocorti","description":"A shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection.","archived":false,"fork":false,"pushed_at":"2026-04-28T15:17:38.000Z","size":5842,"stargazers_count":412,"open_issues_count":12,"forks_count":137,"subscribers_count":21,"default_branch":"master","last_synced_at":"2026-04-28T16:33:18.387Z","etag":null,"topics":["certificate","icinga-plugin","icinga2-plugin","icinga2-plugins","nagios-plugin","nagios-plugins","openssl","shell-script","ssl","tls"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/matteocorti.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"COPYING.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT.md","agents":null,"dco":null,"cla":null},"funding":{"github":"matteocorti","liberapay":"matteocorti"}},"created_at":"2015-10-20T10:44:16.000Z","updated_at":"2026-04-28T15:09:32.000Z","dependencies_parsed_at":"2023-10-02T13:23:20.729Z","dependency_job_id":"f983da01-0393-4c34-ba7b-b614a7700ab4","html_url":"https://github.com/matteocorti/check_ssl_cert","commit_stats":{"total_commits":1807,"total_committers":83,"mean_commits":"21.771084337349397","dds":"0.20752628666297734","last_synced_commit":"be99cd0561ed1a5323ee6e807952de99cba1fbd8"},"previous_names":[],"tags_count":262,"template":false,"template_full_name":null,"purl":"pkg:github/matteocorti/check_ssl_cert","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matteocorti%2Fcheck_ssl_cert","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matteocorti%2Fcheck_ssl_cert/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matteocorti%2Fcheck_ssl_cert/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matteocorti%2Fcheck_ssl_cert/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/matteocorti","download_url":"https://codeload.github.com/matteocorti/check_ssl_cert/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/matteocorti%2Fcheck_ssl_cert/sbom","scorecard":{"id":384852,"data":{"date":"2025-08-11","repo":{"name":"github.com/matteocorti/check_ssl_cert","commit":"d8fb884ee8f8762c65cca15447cd4b6060e2d273"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.3,"checks":[{"name":"Security-Policy","score":9,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Warn: One or no descriptive hints of disclosure, vulnerability, and/or timelines in security policy","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Code-Review","score":0,"reason":"Found 0/30 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Maintained","score":8,"reason":"9 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 8","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/codespell.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/integration_tests.yml:26","Info: topLevel 'contents' permission set to 'read': .github/workflows/integration_tests_with_proxy.yml:26","Info: topLevel 'contents' permission set to 'read': .github/workflows/publish.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/unit_tests.yml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/unit_tests_with_proxy.yml:20","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: COPYING.md:0","Info: FSF or OSI recognized license: GNU General Public License v3.0: COPYING.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v2.94.0 not signed: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/236106053","Warn: release artifact v2.93.0 not signed: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/221220425","Warn: release artifact v2.92.0 not signed: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/211063923","Warn: release artifact v2.91.0 not signed: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/210422526","Warn: release artifact v2.90.0 not signed: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/210399486","Warn: release artifact v2.94.0 does not have provenance: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/236106053","Warn: release artifact v2.93.0 does not have provenance: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/221220425","Warn: release artifact v2.92.0 does not have provenance: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/211063923","Warn: release artifact v2.91.0 does not have provenance: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/210422526","Warn: release artifact v2.90.0 does not have provenance: https://api.github.com/repos/matteocorti/check_ssl_cert/releases/210399486"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/codespell.yml:16: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/codespell.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/codespell.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/codespell.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/integration_tests.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration_tests.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/integration_tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests.yml:128: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/integration_tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/integration_tests_with_proxy.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/integration_tests_with_proxy.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/integration_tests_with_proxy.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/integration_tests_with_proxy.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/publish.yml:32: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/publish.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit_tests.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests.yml:122: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests.yml:167: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests.yml:206: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests_with_proxy.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests_with_proxy.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/unit_tests_with_proxy.yml:46: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests_with_proxy.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests_with_proxy.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests_with_proxy.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/unit_tests_with_proxy.yml:120: update your workflow using https://app.stepsecurity.io/secureworkflow/matteocorti/check_ssl_cert/unit_tests_with_proxy.yml/master?enable=pin","Warn: downloadThenRun not pinned by hash: .github/workflows/integration_tests.yml:137","Warn: downloadThenRun not pinned by hash: .github/workflows/unit_tests.yml:131","Info: 0 out of 12 GitHub-owned GitHubAction dependencies pinned","Info: 0 out of 5 third-party GitHubAction dependencies pinned","Info: 0 out of 2 downloadThenRun dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}}]},"last_synced_at":"2025-08-18T16:21:39.709Z","repository_id":1994937,"created_at":"2025-08-18T16:21:39.709Z","updated_at":"2025-08-18T16:21:39.709Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32497815,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate","icinga-plugin","icinga2-plugin","icinga2-plugins","nagios-plugin","nagios-plugins","openssl","shell-script","ssl","tls"],"created_at":"2024-08-04T04:03:51.057Z","updated_at":"2026-05-01T13:02:27.724Z","avatar_url":"https://github.com/matteocorti.png","language":"Shell","funding_links":["https://github.com/sponsors/matteocorti","https://liberapay.com/matteocorti"],"categories":["Shell","Nagios Monitoring"],"sub_categories":["Nagios Monitoring Plugins"],"readme":"# check\\_ssl\\_cert\n\n \u0026copy; Matteo Corti, ETH Zurich, 2007-2012.\n \u0026copy; Matteo Corti, 2007-2026.\n\n see [AUTHORS.md](AUTHORS.md) for the complete list of contributors\n\n![](https://img.shields.io/github/v/release/matteocorti/check_ssl_cert)\u0026nbsp;![](https://img.shields.io/github/downloads/matteocorti/check_ssl_cert/latest/total)\u0026nbsp;![](https://img.shields.io/github/downloads/matteocorti/check_ssl_cert/total)\u0026nbsp;![](https://img.shields.io/github/license/matteocorti/check_ssl_cert)\u0026nbsp;![](https://img.shields.io/github/stars/matteocorti/check_ssl_cert)\u0026nbsp;![](https://img.shields.io/github/forks/matteocorti/check_ssl_cert)\n\n\nA POSIX shell script (that can be used as a Nagios/Icinga plugin) to check an SSL/TLS connection and certificate\n\n## Usage\n\n```text\nUsage: check_ssl_cert -H host [OPTIONS]\n check_ssl_cert -f file [OPTIONS]\n\nArguments:\n -f,--file file Local file path or URI.\n With -f you can not only pass a x509\n certificate file but also a certificate\n revocation list (CRL) to check the\n validity period or a Java KeyStore file\n -H,--host host Server\n\nOptions:\n -A,--noauth Ignore authority warnings (expiration\n only)\n --all Enable all the possible optional checks\n at the maximum level\n --all-local Enable all the possible optional checks\n at the maximum level (without SSL-Labs)\n --allow-empty-san Allow certificates without Subject\n Alternative Names (SANs)\n --assume-online Do not check if the port is open\n -C,--clientcert path Use client certificate to authenticate\n -c,--critical days Minimum number of days a certificate has\n to be valid to issue a critical status.\n Can be a floating point number, e.g., 0.5\n Default: 15\n --check-chain The certificate chain cannot contain\n double or root certificates\n --check-ciphers grade Check the offered ciphers\n --check-ciphers-warnings Critical if nmap reports a warning for an\n offered cipher\n --check-http-headers Check the HTTP headers for best practices\n --check-ssl-labs-warn grade SSL Labs grade on which to warn\n --clientpass phrase Set passphrase for client certificate.\n --configuration file Read options from the specified file\n --curl-bin path Path of the curl binary to be used\n --custom-http-header string Custom HTTP header sent when getting the\n cert example: 'X-Check-Ssl-Cert: Foobar=1'\n --default-format Print the default output format and exit\n --dane Verify that valid DANE records exist\n (since OpenSSL 1.1.0)\n --dane 211 Verify that a valid DANE-TA(2) SPKI(1)\n SHA2-256(1) TLSA record exists\n --dane 301 Verify that a valid DANE-EE(3) Cert(0)\n SHA2-256(1) TLSA record exists\n --dane 302 Verify that a valid DANE-EE(3) Cert(0)\n SHA2-512(2) TLSA record exists\n --dane 311 Verify that a valid DANE-EE(3) SPKI(1)\n SHA2-256(1) TLSA record exists\n --dane 312 Verify that a valid DANE-EE(3)\n SPKI(1) SHA2-512(1) TLSA record exists\n --date path Path of the date binary to be used\n -d,--debug Produce debugging output (can be\n specified more than once)\n --debug-cert Store the retrieved certificates in the\n current directory\n --debug-headers Store the retrieved HTLM headers in the\n headers.txt file\n --debug-file file Write the debug messages to file\n --debug-time Write timing information in the\n debugging output\n --dig-bin path Path of the dig binary to be used\n --do-not-resolve Do not check if the host can be resolved\n --dtls Use the DTLS protocol\n --dtls1 Use the DTLS protocol 1.0\n --dtls1_2 Use the DTLS protocol 1.2\n -e,--email address Pattern (extended regular expression) to\n match the email address contained in the\n certificate. You can specify different\n addresses separated by a pipe\n (e.g., 'addr1|addr2')\n --ecdsa Signature algorithm selection: force ECDSA\n certificate\n --element number Check up to the N cert element from the\n beginning of the chain\n --file-bin path Path of the file binary to be used\n --fingerprint hash Pattern to match the fingerprint\n --fingerprint-alg algorithm Algorithm for fingerprint. Default sha1\n --first-element-only Verify just the first cert element, not\n the whole chain\n --force-dconv-date Force the usage of dconv for date\n computations\n --force-perl-date Force the usage of Perl for date\n computations\n --format FORMAT Format output template on success, for\n example: '%SHORTNAME% OK %CN% from\n %CA_ISSUER_MATCHED%'\n list of possible variables:\n - %CA_ISSUER_MATCHED%\n - %CHECKEDNAMES%\n - %CN%\n - %DATE%\n - %DAYS_VALID%\n - %DYSPLAY_CN%\n - %HOST%\n - %OCSP_EXPIRES_IN_HOURS%\n - %OPENSSL_COMMAND%\n - %PORT%\n - %SELFSIGNEDCERT%\n - %SHORTNAME%\n - %SIGALGO%\n - %SSL_LABS_HOST_GRADE%\n See --default-format for the default\n --grep-bin path Path of the grep binary to be used\n -h,--help,-? This help message\n --http-headers-path path The path to be used to fetch HTTP headers\n --http-use-get Use GET instead of HEAD (default) for the\n HTTP related checks\n -i,--issuer issuer Pattern (extended regular expression) to\n match the issuer of the certificate\n You can specify different issuers\n separated by a pipe\n (e.g., 'issuer1|issuer2')\n --ignore-altnames Ignore alternative names when matching\n pattern specified in -n (or the host name)\n --ignore-connection-problems [state] In case of connection problems\n returns OK or the optional state\n --ignore-crl Ignore CRLs\n --ignore-dh Ignore too small DH keys\n --ignore-exp Ignore expiration date\n --ignore-http-headers Ignore checks on HTTP headers with --all\n and --all-local\n --ignore-host-cn Do not complain if the CN does not match\n the host name\n --ignore-incomplete-chain Do not check chain integrity\n --ignore-maximum-validity Ignore the certificate maximum validity\n --ignore-ocsp Do not check revocation with OCSP\n --ignore-ocsp-errors Continue if the OCSP status cannot be\n checked\n --ignore-ocsp-timeout Ignore OCSP result when timeout occurs\n while checking\n --ignore-sct Do not check for signed certificate\n timestamps (SCT)\n --ignore-sig-alg Do not check if the certificate was signed\n with SHA1 or MD5\n --ignore-ssl-labs-cache Force a new check by SSL Labs (see -L)\n --ignore-ssl-labs-errors Ignore errors if SSL Labs is not\n accessible or times out\n --ignore-tls-renegotiation Ignore the TLS renegotiation check\n --ignore-unexpected-eof Ignore unclean TLS shutdowns\n --inetproto protocol Force IP version 4 or 6\n --info Print certificate information\n --init-host-cache Initialize the host cache\n --issuer-cert-cache dir Directory where to store issuer\n certificates cache\n --jks-alias alias Alias name of the Java KeyStore entry\n (requires --file)\n -K,--clientkey path Use client certificate key to authenticate\n -L,--check-ssl-labs grade SSL Labs assessment (please check\n https://www.ssllabs.com/about/terms.html)\n --long-output list Append the specified comma separated (no\n spaces) list of attributes to the plugin\n output on additional lines\n Valid attributes are:\n enddate, startdate, subject, issuer,\n modulus, serial, hash, email, ocsp_uri\n and fingerprint.\n 'all' will include all the available\n attributes.\n -m,--match Pattern to match the CN or AltName\n (can be specified multiple times)\n --maximum-validity [days] The maximum validity of the certificate\n must not exceed 'days' (default 397)\n This check is automatic for HTTPS\n --nmap-bin path Path of the nmap binary to be used\n --nmap-with-proxy Allow nmap to be used with a proxy\n --no-perf Do not show performance data\n --no-proxy Ignore the http_proxy and https_proxy\n environment variables\n --no-proxy-curl Ignore the http_proxy and https_proxy\n environment variables for curl\n --no-proxy-s_client Ignore the http_proxy and https_proxy\n environment variables for openssl s_client\n --no-ssl2 Disable SSL version 2\n --no-ssl3 Disable SSL version 3\n --no-tls1 Disable TLS version 1\n --no-tls1_1 Disable TLS version 1.1\n --no-tls1_2 Disable TLS version 1.2\n --no-tls1_3 Disable TLS version 1.3\n --not-issued-by issuer Check that the issuer of the certificate\n does not match the given pattern\n --not-valid-longer-than days Critical if the certificate validity is\n longer than the specified period\n -o,--org org Pattern to match the organization of the\n certificate\n --ocsp-critical hours Minimum number of hours an OCSP response\n has to be valid to issue a critical status\n --ocsp-warning hours Minimum number of hours an OCSP response\n has to be valid to issue a warning status\n --openssl path Path of the openssl binary to be used\n --path path Set the PATH variable to 'path'\n -p,--port port TCP port number (default 443)\n --precision digits Number of decimal places for durations:\n defaults to 0 if critical or warning are\n integers, 2 otherwise\n -P,--protocol protocol Use the specific protocol:\n dns, ftp, ftps, http, https (default),\n h2 (HTTP/2), h3 (HTTP/3), imap, imaps,\n irc, ircs, ldap, ldaps, mqtts, mysql,\n pop3, pop3s, postgres, sieve, sips, smtp,\n smtps, tds, xmpp, xmpp-server.\n ftp, imap, irc, ldap, pop3, postgres,\n sieve, smtp: switch to TLS using StartTLS\n --password source Password source for a local certificate,\n see the PASS PHRASE ARGUMENTS section\n openssl(1)\n --prometheus Generate Prometheus/OpenMetrics output\n --proxy proxy Set http_proxy and the s_client -proxy\n option\n --python-bin path Path of the python binary to be used\n --quic Use QUIC\n -q,--quiet Do not produce any output\n -r,--rootcert path Root certificate or directory to be used\n for certificate validation\n --require-client-cert [list] The server must accept a client\n certificate. 'list' is an optional comma\n separated list of expected client\n certificate CAs\n --require-dnssec Require DNSSEC\n --require-http-header header Require the specified HTTP header\n (e.g., strict-transport-security)\n --require-no-http-header header Require the absence of the specified\n HTTP header (e.g., X-Powered-By)\n --require-no-ssl2 Critical if SSL version 2 is offered\n --require-no-ssl3 Critical if SSL version 3 is offered\n --require-no-tls1 Critical if TLS 1 is offered\n --require-no-tls1_1 Critical if TLS 1.1 is offered\n --require-no-tls1_2 Critical if TLS 1.2 is offered\n --require-ocsp-stapling Require OCSP stapling\n --require-purpose usage Require the specified key usage (can be\n specified more then once)\n --require-purpose-critical The key usage must be critical\n --resolve-over-http [server] Resolve the host over HTTP using Google or\n the specified server\n --resolve ip Provide a custom IP address for the\n specified host\n --rootcert-dir path Root directory to be used for certificate\n validation\n --rootcert-file path Root certificate to be used for\n certificate validation\n --rsa Signature algorithm selection: force RSA\n certificate\n --security-level number Set the security level to specified value\n See SSL_CTX_set_security_level(3) for a\n description of what each level means\n -s,--selfsigned Allow self-signed certificates\n --serial serialnum Pattern to match the serial number\n --skip-element number Skip checks on the Nth cert element (can\n be specified multiple times)\n --sni name Set the TLS SNI (Server Name Indication)\n extension in the ClientHello message to\n 'name'\n --ssl2 Force SSL version 2\n --ssl3 Force SSL version 3\n -t,--timeout seconds Timeout after the specified time\n (defaults to 120 seconds)\n --temp dir Directory where to store the temporary\n files\n --terse Terse output\n --tls1 Force TLS version 1\n --tls1_1 Force TLS version 1.1\n --tls1_2 Force TLS version 1.2\n --tls1_3 Force TLS version 1.3\n -u,--url URL HTTP request URL\n --user-agent string User agent that shall be used for HTTPS\n connections\n -v,--verbose Verbose output (can be specified more than\n once)\n -V,--version Version\n -w,--warning days Minimum number of days a certificate has\n to be valid to issue a warning status.\n Can be a floating point number, e.g., 0.5\n Default: 20\n --xmpphost name Specify the host for the 'to' attribute\n of the stream element\n -4 Force IPv4\n -6 Force IPv6\n\nDeprecated options:\n --altnames Match the pattern specified in -n with\n alternate names too (enabled by default)\n -n,--cn name Pattern to match the CN or AltName\n (can be specified multiple times)\n --crl Check revocation via CRL (enabled by\n default)\n --curl-user-agent string User agent that curl shall use to obtain\n the issuer cert\n --days days Minimum number of days a certificate has\n to be valid\n (see --critical and --warning)\n -N,--host-cn Match CN with the host name\n (enabled by default)\n --no_ssl2 Disable SSLv2 (deprecated use --no-ssl2)\n --no_ssl3 Disable SSLv3 (deprecated use --no-ssl3)\n --no_tls1 Disable TLSv1 (deprecated use --no-tls1)\n --no_tls1_1 Disable TLSv1.1 (deprecated use\n --no-tls1_1)\n --no_tls1_2 Disable TLSv1.1 (deprecated use\n --no-tls1_2)\n --no_tls1_3 Disable TLSv1.1 (deprecated use\n --no-tls1_3)\n --ocsp Check revocation via OCSP (enabled by\n default)\n --require-hsts Require HTTP Strict Transport Security\n (deprecated use --require-security-header\n strict-transport-security)\n --require-san Require the presence of a Subject\n Alternative Name\n extension\n --require-security-header header require the specified HTTP\n security header (e.g., X-Frame-Options)\n (deprecated use --require-http-header)\n --require-security-headers Require all the HTTP security headers:\n Content-Security-Policy\n Permissions-Policy\n Referrer-Policy\n strict-transport-security\n X-Content-Type-Options\n X-Frame-Options\n --require-security-headers-path path the path to be used to fetch HTTP\n security headers\n --require-x-frame-options [path] Require the presence of the\n X-Frame-Options HTTP header\n 'path' is the optional path to be used\n in the URL to check for the header\n (deprecated use --require-security-header\n X-Frame-Options and\n --require-security-headers-path path)\n -S,--ssl version Force SSL version (2,3)\n (see: --ssl2 or --ssl3)\n\nReport bugs to https://github.com/matteocorti/check_ssl_cert/issues\n```\n\n## Configuration\n\nCommand line options can be specified in a configuration file (```${HOME}/.check_ssl_certrc```). For example\n\n```text\n$ cat ${HOME}/.check_ssl_certrc\n--verbose\n--critical 20\n--warning 40\n```\n\nOptions specified in the configuration file are read before processing the arguments and can be overridden.\n\n## Expect \u0026 timeout\n\ncheck\\_ssl\\_cert requires [```expect```](http://en.wikipedia.org/wiki/Expect) or [```timeout```](https://man7.org/linux/man-pages/man1/timeout.1.html) to enable timeouts. If ```expect``` or ```timeout``` are not present on your system, timeouts will be disabled.\n\n## Virtual servers\n\ncheck\\_ssl\\_cert supports the servername TLS extension in ```ClientHello```\nif the installed OpenSSL version provides it. This is needed if you\nare checking a server with virtual hosts.\n\n## SSL Labs\n\nIf `-L` or `--check-ssl-labs` are specified, the plugin will check the\ncached status using the [SSL Labs Assessment API](https://www.ssllabs.com/about/terms.html).\n\nThe plugin will ask for a cached result (maximum age 1 day) to avoid\ntoo many checks. The first time you issue the check you could therefore\nget an outdated result.\n\n## Root Certificate\n\nThe root certificate corresponding to the checked certificate must be\navailable to OpenSSL or must be specified with the `-r cabundle` or\n`--rootcert cabundle` option, where ```cabundle``` is either a file for `-CAfile`\nor a directory for `-CApath`.\n\nOn macOS the root certificates bundle is stored in the Keychain and\nOpenSSL will complain with:\n\n```text\nverification error: unable to get local issuer certificate\n```\n\nThe bundle can be extracted with:\n\n```text\n$ sudo security find-certificate -a \\\n -p /System/Library/Keychains/SystemRootCertificates.keychain \u003e cabundle.crt\n```\n\nand then submitted to `check_ssl_cert` with the `-r,--rootcert path` option\n\n```text\n ./check_ssl_cert -H www.google.com -r ./cabundle.crt\n```\n\n## Quoting in Nagios\n\nAn asterisk ```*``` is automatically escaped by nagios. If you need to specify an option (e.g., ```--cn```) with an argument containing an asterisk you need to enclose it in double quotes (e.g., ```''*.github.com''```)\n\n## bash completion and caching\n\nOnce the host name cache (```${HOME}/.check_ssl_cert-cache```) is initialized (with the ```--init-host-cache``` option), every specified host is cached.\n\nThe host name cache is a plain text file which contains an host name per line. Each time a new host is specified, it is automatically added to the cache. The file can be edited with a text editor (to delete or edit entries).\n\nWhen using bash completion with the ```--host``` command line option the cache is then read and used as a suggestion.\n\n## Development\n\n### Testing\n\nTo run the test suite you will need [shUnit2](https://github.com/kward/shunit2)\n\n* Manual install: [github](https://github.com/kward/shunit2)\n* macOS with [Homebrew](https://brew.sh): ```brew install shunit2```\n* Debian, Ubuntu: ```apt-get install shunit2```\n* Fedora: ```dnf install shunit2```\n\nRun ```make test``` to execute the whole test suite.\n\nTo enable debugging output for the tests set the ```TEST_DEBUG``` environment variable to ```--debug```:\n\n```text\nexport TEST_DEBUG=--debug\nmake test\n```\n\nWith ```make disttest``` you can check the formatting of the files (e.g. tabs and blanks at the end of the lines) and run ShellCheck to lint the scripts.\n\nWith ```make codespell``` ypu can perform a spell check on the code and documentation.\n\nTo run a single test:\n\n* set the ```SHUNIT2``` environment variable with the location of the shUnit2 binary\n* change the directory to the test suite: ```cd test```\n* execute the test suite with the tests to be run as argument after ```--```. For example ```./unit_tests.sh -- testName```\n\n## Documentation\n\nThe majority of the documentation files are written using the [GitHub Flavored Markdown](https://github.github.com/gfm/) language.\n\n## Supporters\n\nWe are very grateful to our amazing supporters and sponsors!\n\n* [Łukasz Wąsikowski](https://github.com/IdahoPL)\n* [Claus-Theodor Riegg](https://github.com/crigertg)\n* [wols](https://github.com/wols)\n* [Netzkommune](https://github.com/netzkommune)\n* [Nicolas Wimmer](https://github.com/naiz0)\n\nIf you'd like to support this script, please visit [our sponsorship page](https://github.com/sponsors/matteocorti) on GitHub.\n\n## Bugs\n\nReport bugs to [https://github.com/matteocorti/check_ssl_cert/issues](https://github.com/matteocorti/check_ssl_cert/issues)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatteocorti%2Fcheck_ssl_cert","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmatteocorti%2Fcheck_ssl_cert","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmatteocorti%2Fcheck_ssl_cert/lists"}