check_ct_logs

Shell script for monitoring certificates emitted for a domain via Certificate Transparency logs

check_ct_logs

This script compares known certificates (stored locally) and registered certificates logged in public Certificate Transparency logs. It uses certspotter API and can retrieves certificates directly from host when it finds a registered certificate not already known.

Output and exit follow Nagios plugins development guidelines, making it suitable for integration in monitoring software such as Nagios, icinga, shinken, ...

Syntax of this script mainly inspired by check_ssl_cert, by Matteo Corti.

This script is free software, licensed as GPLv3.

Usage


Usage: check_ct_logs -H domain -d certificate_directory [-a API_KEY -h -g -D]

This script compares known certificates (stored locally) and registered certificates
logged in public Certificate Transparency logs. It uses certspotter API, from
https://certspotter.com

Arguments:
    -H, --host          server
    -d, --certificate-directory where to find known certificates (PEM encoded)

Options:
    -h, --help          print this information and exits
    -a, --api-key           CertSpotter API key. Needed if you do
                    checks on a regular basis. Get one on :
                    https://sslmate.com/signup?for=certspotter_api
    -c, --certspotter       Certspotter API URL. Defaults to
                    https://api.certspotter.com/v1/issuances
                    But you can change to your instance if you run
                    certspotter locally
                    (see https://github.com/SSLMate/certspotter )
    -g, --get-from-host     if set, tries to contact host on port 443 to
                    retrieve certificate from there if there is a
                    registered certificate not known locally.
    -D, --debug         print debug information

Install

Dependencies

  • openssl
  • curl
  • jq

Setup

Just put this script along your other checks, and put known certificates in a directory that your monitoring software can read (and write if you use the --get-from-host option)

If you plan to use it for monitoring, you should get an API key for cert spotter (free up to 1000 queries / hour)

Bugs

Please report bugs to https://github.com/Samuel-BF/check_ct_logs