check_ct_logs
Shell script for monitoring certificates emitted for a domain via Certificate Transparency logs
check_ct_logs
This script compares known certificates (stored locally) and registered certificates logged in public Certificate Transparency logs. It uses certspotter API and can retrieves certificates directly from host when it finds a registered certificate not already known.
Output and exit follow Nagios plugins development guidelines, making it suitable for integration in monitoring software such as Nagios, icinga, shinken, ...
Syntax of this script mainly inspired by check_ssl_cert, by Matteo Corti.
This script is free software, licensed as GPLv3.
Usage
Usage: check_ct_logs -H domain -d certificate_directory [-a API_KEY -h -g -D]
This script compares known certificates (stored locally) and registered certificates
logged in public Certificate Transparency logs. It uses certspotter API, from
https://certspotter.com
Arguments:
-H, --host server
-d, --certificate-directory where to find known certificates (PEM encoded)
Options:
-h, --help print this information and exits
-a, --api-key CertSpotter API key. Needed if you do
checks on a regular basis. Get one on :
https://sslmate.com/signup?for=certspotter_api
-c, --certspotter Certspotter API URL. Defaults to
https://api.certspotter.com/v1/issuances
But you can change to your instance if you run
certspotter locally
(see https://github.com/SSLMate/certspotter )
-g, --get-from-host if set, tries to contact host on port 443 to
retrieve certificate from there if there is a
registered certificate not known locally.
-D, --debug print debug information
Install
Dependencies
- openssl
- curl
- jq
Setup
Just put this script along your other checks, and put known certificates in a directory that your monitoring software can read (and write if you use the --get-from-host option)
If you plan to use it for monitoring, you should get an API key for cert spotter (free up to 1000 queries / hour)
Bugs
Please report bugs to https://github.com/Samuel-BF/check_ct_logs
