## Check ssl certs

Script: `check_ssl_certs`

**check_ssl_certs** is a plugin to check local certificats.

It loops over 1 or multiple certificate files and reads the expiration date from is.
This functionality requires the openssl binary in $PATH.

It sends performace data with count of days left.

Remark:

This is just a local check of the certificate file.
It cannot detect a revocation at the issuer.

## Requirements

* openssl client

## Standalone installation

From this repository ypu need next to this script:

* `inc_pluginfunctions` shared function for all IML checks written in bash

## Syntax

Start the script with `-h` to get the help.

```txt
______________________________________________________________________

CHECK_SSL_CERTS
v1.4

(c) Institute for Medical Education - University of Bern
Licence: GNU GPL 3

https://os-docs.iml.unibe.ch/icinga-checks/Checks/check_ssl_certs.html
______________________________________________________________________

Check locally installed SSL client certificates and warn if the 
expiration date comes closer. 

SYNTAX:
check_ssl_certs [-w WARN_LIMIT] [-c CRITICAL_LIMIT] [-f "FILELIST"]

OPTIONS:

    -f FILELIST    file filter to find certificates using globbing 
                   (default: /etc/ssl/certs/*.cert.cer)
                   To use multiple sources seperate them with a space char.
                   Quote your parameter value if you use multiple sources or * char.
    -w VALUE       warning level in days before expiration (default: 14)
    -c VALUE       critical level in days before expiration (default: 5)

    -h or --help   show this help.

PARAMETERS:

    None.

EXAMPLE:

    check_ssl_certs -f "/etc/ssl/certs/*example.com.*.cer /somewhere/else/*.cer"
        Set 2 folders where to find the client certificates.
        They are seperated by space and both use * for globbing

    check_ssl_certs -w 30 -c 3 
        Overide the warning and critical level.

```

## Examples

### Get values

`./check_ssl_certs`

Checks files that match the default filter `/etc/ssl/certs/*.cert.cer`.

```txt
OK: SSL certs :: OK www.example.com [34d] ; 

----- [1 of 1] www.example.com - expires in 34 days
Issuer: C=US, O=Let's Encrypt, CN=R3
Not Before: Feb 28 23:25:10 2024 GMT
Not After : May 28 23:25:09 2024 GMT
Subject: CN=www.example.com
DNS:www.example.com
File: /etc/ssl/certs/www.example.com.cert.cer

INFO: warning starts 14 d before expiration, raising to critical 5 days before

 |ssl-wwwexamplecom=34;;;0
```