Check SSL certificate validity, including CA chain, with Nagios
Nagios can do SSL checking, but it doesn't actually check if the certificate is valid for the connection address you're using (common name match).
On one of our servers, a postfix configuration file was replaced by a Plesk update without notice, resulting in a regression to a snake-oil certificate. Nagios checks SSL, but didn't see it. To that end, I'd like to check more than just the expiration date, and actually check the CA chain.
I've tried several SSL plugins for nagios, but none of them can do it.
Does anybody have advice?
I don't have any experience with it but it looks like the check_ssl_cert plugin does what you are looking for.
Excerpt from the author's site:
check_ssl_cert is a Nagios plugin to check the CA and validity of an X.509 certificate
I can't find a plugin that tests it, either, but it would be very easy to wrap some random GPLed plugin's guts around an openssl one-liner. Here's a one-liner comparing the output from two of my servers; www has an Equifax certificate on it, nagios is self-signed:
[madhatter@anni ~]$ echo "" | openssl s_client -connect nagios.teaparty.net:443 |& grep "verify error"
verify error:num=18:self signed certificate
[madhatter@anni ~]$ echo $?
0
[madhatter@anni ~]$
and
[madhatter@anni ~]$ echo "" | openssl s_client -connect www.teaparty.net:443 |& grep "verify error"
[madhatter@anni ~]$ echo $?
1
[madhatter@anni ~]$
note the nice, easy-to-test change in the exit status of grep, depending on whether or not it finds the "verify error" string.
How's that?
I've attempted to create a Nagios check to verify the chain order base on this method, but this method doesn't seem to work with Debian without changes. You should use:
echo "" | openssl s_client -showcerts -connect example.com:443 -CApath /etc/ssl/certs/ |& grep "verify error"
Furthermore, this does not work when the chain is in the wrong order, but still is present entirely.
You would say the order doesn't really care, as long as the intermediates are in the right order, but some systems require the root CA to be present, and some systems don't.