Skip to content

Certificate

updated v2.3, 2022/01

Certificate checks the validity for various SSL/TLS certificates. It opens a socket to hostname:port and retrieve certificate information for name certificate if provided.

It computes days left before certificate expiry and set a severity value accordingly.

It sends certificate informations to metrology server (days left, issuer, subject, severity).

It has a timeout of 3 seconds in case of no response from remote host.

Configure

certificate:

    cert_mysite:
        hostname: mysite.com   # remote/network target
        port: 2718             # remote port, defaults to 443 if not specified
        name: mysite.com       # cert name to be looked for ; default to hostname if none
        warning_in: 7          # DEFAULT 7 days
        notice_in:  30         # DEFAULT 30 days
        severity_max: error    # if expired, max severity to raise


    cert_short:
        hostname: www.google.com   # shortest config to check cert at https://www.google.com/

Alerts

If delay is very short, set a SEVERITY = WARNING ; default 7 days

If delay is a little longuer but short anymay, set a SEVERITY = NOTICE, default 30 days.

If certificate is not valid, set a SEVERITY = CRITICAL (to be filtered with severity_max configuration).

Output to CLI / metrology

    $ cmt -s certificate

    OK       certificate  56 day(s) left for SSL certificate google.com on google.com:443 
    OK       certificate  56 day(s) left for SSL certificate google.com on 142.250.201.174:443 
    OK       certificate  307 day(s) left for SSL certificate duckduckgo.com on duckduckgo.com:443 
    CRITICAL certificate  no certificate found for duckduckgo.com:80
    OK       certificate  143 day(s) left for SSL certificate yahoo.com on yahoo.com:443


    $ cmt certificate

    ------------------------------------------------------------------
    certificate duck
    ------------------------------------------------------------------
    cmt_certificate_host     duckduckgo.com:443
    cmt_certificate_name     duckduckgo.com
    cmt_certificate_days     307 days 
    cmt_certificate_issuer   DigiCert Inc
    cmt_certificate_subject  *.duckduckgo.com
    OK  : 307 day(s) left for SSL certificate duckduckgo.com on duckduckgo.com:443

    ------------------------------------------------------------------
    certificate broken
    ------------------------------------------------------------------
    cmt_certificate_host     duckduckgo.com:80
    cmt_certificate_name     duckduckgo.com
    CRITICAL  : no certificate found for duckduckgo.com:80

    ------------------------------------------------------------------
    certificate cert_ipgoogle
    ------------------------------------------------------------------
    cmt_certificate_host     142.250.201.174:443
    cmt_certificate_name     google.com
    cmt_certificate_days     56 days 
    cmt_certificate_issuer   Google Trust Services LLC
    cmt_certificate_subject  *.google.com
    OK  : 56 day(s) left for SSL certificate google.com on 142.250.201.174:443