Repository is archived
No commit activity in last 3 years
No release in over 3 years
This plugin provides native SSL instrumentation for monitoring, including: hostname and chain verification, cert and crl expiry, and Qualys SSL Labs reporting
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 2.1
~> 0.13
~> 13.0
~> 3.5
~> 3.9
~> 0.85.0
~> 0.9.1
~> 0.9.25

Runtime

 Project Readme

Sensu-Plugins-SSL

Gem Version Sensu Bonsai Asset

This is an unofficial fork

This fork is automatically tested, built and published to RubyGems and Bonsai.

Files

  • bin/check-java-keystore-cert.rb
  • bin/check-ssl-anchor.rb
  • bin/check-ssl-crl.rb
  • bin/check-ssl-cert.rb
  • bin/check-ssl-host.rb
  • bin/check-ssl-hsts-preload.rb
  • bin/check-ssl-hsts-preloadable.rb
  • bin/check-ssl-qualys.rb
  • bin/check-ssl-root-issuer.rb

Usage

bin/check-ssl-anchor.rb

Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance). Requires the openssl commandline tool to be available on the system.

./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"

bin/check-ssl-crl.rb

Checks a CRL has not or is not expiring by inspecting it's next update value.

You can check against a CRL file on disk:

./bin/check-ssl-crl -c 300 -w 600 -u /path/to/crl

or an online CRL:

./bin/check-ssl-crl -c 300 -w 600 -u http://www.website.com/file.crl

Critical and Warning thresholds are specified in minutes.

bin/check-ssl-qualys.rb

Checks the ssllabs qualysis api for grade of your server, this check can be quite long so it should not be scheduled with a low interval and will probably need to adjust the check timeout options per the check attributes spec based on my tests you should expect this to take around 3 minutes.

./bin/check-ssl-qualys.rb -d google.com

bin/check-ssl-root-issuer.rb

Check that a specific website is chained to a specific root certificate issuer. This is a pure Ruby implementation, does not require the openssl cmdline client tool to be installed.

./bin/check-ssl-root-issuer.rb -u example.com -a "CN=DST Root CA X3,O=Digital Signature Trust Co."

Installation

Installation and Setup

Testing

To run the testing suite, you'll need to have a working ruby environment, gem, and bundler installed. We use rake to run the rspec tests automatically.

bundle install
bundle update
bundle exec rake

Notes

bin/check-ssl-anchor.rb and bin/check-ssl-host.rb would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.