Logo
Project Icon

https-ssl-cert-check-zabbix

远程主机SSL证书检测脚本 支持多协议和自定义选项

SSL证书检查TLS验证OpenSSLZabbixSNIGithub开源项目

该脚本用于检查远程主机TLS/SSL证书的有效性和过期时间。支持TLS SNI、STARTTLS协议、国际化域名Punycode编码和自签名证书验证。提供JSON输出格式,可独立使用或集成到Zabbix监控系统。脚本通过命令行界面提供多种检查选项,适用于SSL证书监控场景。

访问官网访问官网GithubGithub文档文档论文论文
介绍相关项目

Script to check validity and expiration of TLS/SSL certificate on remote host.

Supports: TLS SNI and STARTTLS for protocols like SMTP; internationalized domain names with Punycode(uses libidn); allowing self-signed certs as valid; JSON output; supports any additional s_client options.

May be used standalone or with Zabbix. See the "Zabbix integration" section below.

user@host:~$ ./ssl_cert_check.sh valid google.com
1

# Check 74.125.131.138 on port 443 for days left before certificate expiration
# TLS SNI(Server Name Indication) is set to google.com
# Check timeout is 15 seconds(default is 5)
# TLS protocol version is forced to 1.2, no auto-negotiation
user@host:~$ ./ssl_cert_check.sh expire 74.125.131.138 443 google.com 15 tls1_2
56

# JSON output of the certificate
user@host:~$ ./ssl_cert_check.sh json google.com
{"expire_days": 56, "valid": 1, "return_code": 0, "return_text": "ok"}

Usage

ssl_cert_check.sh valid|expire|json <hostname or IP> [port[/starttls protocol]] [domain for TLS SNI] [check timeout (seconds)] [tls_version|tls_auto,[self_signed_ok]] [ s_client_option1 ] [ ... ] [ s_client_optionN ]

  • [port] optional, default is 443

  • [starttls protocol] optional, use protocol-specific message to switch to TLS communication. See man s_client option -starttls for supported protocols, like smtp, ftp, ldap.

  • [domain for TLS SNI] optional, default is <hostname or IP>. SNI(Server Name Indication) is used to specify certificate domain name if it differs from the hostname.

  • [check timeout (seconds)] optional, default is 5 seconds

  • [tls_version|tls_auto,[self_signed_ok]] predefined options comma (,) separated, flag is optional. Set what is needed, no order of parameters is present of the available options below.

    • [tls_version] if it is not given a TLS version will be negotiated. Override the TLS version as you need, like: tls1_2, tls1_3, no_tls1, dtls and so on. See the "TLS Version Options" section of man openssl or man s_client for the available options.
    • [self_signed_ok] is optional. When this flag is set all self-signed certificates will be seen as valid. Otherwise these will be rendered invalid. It will allow OpenSSL return codes 18, 19, 20 & 21. See the Diagnostics section at https://www.openssl.org/docs/man1.0.2/man1/verify.html.
    • [tls_auto] means auto negotiating TLS protocol. That is the default, this option is used as separator if you want to speficy additional s_client options after it.

  • [ s_client_option1 ] [ ... ] [ s_client_optionN ] is optional. But all other parameters are required to be set. Everything you append after all parameters will be added/appended on the OpenSSL s_client command. See all s_client options at https://www.openssl.org/docs/man1.0.2/man1/s_client.html.

Return values

expire or valid
  • 1|0 for validity check: 1 - valid, 0 - invalid, expired or unavailable
  • N number of days left for expiration check. Zero or negative value means certificate is expired
  • -65535 site was unavailable for check timeout or incorrect script parameters
json: JSON output
  • JSON object with a summary of the result, which can be used by Zabbix (JSONPath)
    • expire_days: the amount of days before the certificate is expired
    • valid: see valid check
    • return_code: the OpenSSL return code
    • return_text: the OpenSSL return text which gives helpful insights
  • JSON object with the error code and message
    • error_code: $error_code
    • error_message: The output of the error message

Exit code is always 0, otherwise zabbix agent fails to get the item value.

If the script is running without terminal(from zabbix), error messages are not printed, only the exit code. The reason is that zabbix merges stdout and strerr to get an item value.

Examples

user@host:~$ ./ssl_cert_check.sh valid google.com
1

user@host:~$ ./ssl_cert_check.sh valid imap.gmail.com 993
1

# SMTP on port 587 with STARTTLS to switch to TLS communication
user@host:~$ ./ssl_cert_check.sh valid smtp.gmail.com 587/smtp
1

user@host:~$ ./ssl_cert_check.sh valid self-signed.badssl.com
0

# Expired certificate is not valid
user@host:~$ ./ssl_cert_check.sh valid expired.badssl.com
0

user@host:~$ ./ssl_cert_check.sh expire google.com
56

user@host:~$ ./ssl_cert_check.sh expire expired.badssl.com
-2606

# JSON output of the certificate (can be combined with/piped to `jq`)
user@host:~$ ./ssl_cert_check.sh json google.com
{"expire_days": 56, "valid": 1, "return_code": 0, "return_text": "ok"}

# NOTE: an error message is shown to stderr only when running on a terminal
# Without terminal(from zabbix), only the result is printed to stdout
user@host:~$ ./ssl_cert_check.sh expire unavailable.example.com
-65535
ERROR: Failed to get certificate

# Check 74.125.131.138:443 for a valid certificate for google.com
# TLS SNI(Server Name Indication) is set to google.com
# Check timeout is 10 seconds(default is 5)
user@host:~$ ./ssl_cert_check.sh valid 74.125.131.138 443 google.com 10
1

# Check a certificate on an endpoint only accepting TLS 1.2 and use TLS 1.2, which is valid.
user@host:~$ ./ssl_cert_check.sh valid tls-v1-2.badssl.com 1012 tls-v1-2.badssl.com 10 tls1_2
1

# Check a certificate on an endpoint only accepting TLS 1.2, but use TLS 1.1, which is invalid.
user@host:~$ ./ssl_cert_check.sh valid tls-v1-2.badssl.com 1012 tls-v1-2.badssl.com 10 tls1_1
-65535
ERROR: Failed to get certificate

# Check a self-signed certificate endpoint using TLS 1.2, without assuming self-signed is valid.
user@host:~$ ./ssl_cert_check.sh json self-signed.badssl.com 443 self-signed.badssl.com 10 tls1_2
{"expire_days": 708, "valid": 0, "return_code": 18, "return_text": "self signed certificate"}

# Check a self-signed certificate endpoint using TLS 1.2, with assuming self-signed is valid.
user@host:~$ ./ssl_cert_check.sh json self-signed.badssl.com 443 self-signed.badssl.com 10 tls1_2,self_signed_ok
{"expire_days": 708, "valid": 1, "return_code": 18, "return_text": "self signed certificate"}

Zabbix integration

Example of Zabbix user parameters: userparameters_ssl_cert_check.conf in zabbix_integration_examples directory.

You can write your own template or use one of example templates in zabbix_integration_examples. See their description in README.md.

Support for Internationalized Domain Names with Punycode

If idn executable(libidn) is available, unicode host and domain names be will supported by converting to

相关项目
项目侧边栏1项目侧边栏2
推荐项目
Project Cover

豆包MarsCode

豆包 MarsCode 是一款革命性的编程助手,通过AI技术提供代码补全、单测生成、代码解释和智能问答等功能,支持100+编程语言,与主流编辑器无缝集成,显著提升开发效率和代码质量。

Project Cover

AI写歌

Suno AI是一个革命性的AI音乐创作平台,能在短短30秒内帮助用户创作出一首完整的歌曲。无论是寻找创作灵感还是需要快速制作音乐,Suno AI都是音乐爱好者和专业人士的理想选择。

Project Cover

白日梦AI

白日梦AI提供专注于AI视频生成的多样化功能,包括文生视频、动态画面和形象生成等,帮助用户快速上手,创造专业级内容。

Project Cover

有言AI

有言平台提供一站式AIGC视频创作解决方案,通过智能技术简化视频制作流程。无论是企业宣传还是个人分享,有言都能帮助用户快速、轻松地制作出专业级别的视频内容。

Project Cover

Kimi

Kimi AI助手提供多语言对话支持,能够阅读和理解用户上传的文件内容,解析网页信息,并结合搜索结果为用户提供详尽的答案。无论是日常咨询还是专业问题,Kimi都能以友好、专业的方式提供帮助。

Project Cover

讯飞绘镜

讯飞绘镜是一个支持从创意到完整视频创作的智能平台,用户可以快速生成视频素材并创作独特的音乐视频和故事。平台提供多样化的主题和精选作品,帮助用户探索创意灵感。

Project Cover

讯飞文书

讯飞文书依托讯飞星火大模型,为文书写作者提供从素材筹备到稿件撰写及审稿的全程支持。通过录音智记和以稿写稿等功能,满足事务性工作的高频需求,帮助撰稿人节省精力,提高效率,优化工作与生活。

Project Cover

阿里绘蛙

绘蛙是阿里巴巴集团推出的革命性AI电商营销平台。利用尖端人工智能技术,为商家提供一键生成商品图和营销文案的服务,显著提升内容创作效率和营销效果。适用于淘宝、天猫等电商平台,让商品第一时间被种草。

Project Cover

AIWritePaper论文写作

AIWritePaper论文写作是一站式AI论文写作辅助工具,简化了选题、文献检索至论文撰写的整个过程。通过简单设定,平台可快速生成高质量论文大纲和全文,配合图表、参考文献等一应俱全,同时提供开题报告和答辩PPT等增值服务,保障数据安全,有效提升写作效率和论文质量。

使用协议隐私政策广告服务
投诉举报邮箱: service@vectorlightyear.com
@2024 懂AI·鲁ICP备2024100362号-6·鲁公网安备37021002001498号