check_ocsp_stapling
check_ocsp_stapling
is a plugin for Nagios/Icinga that helps with monitoring
TLS servers implementing OCSP stapling. The script verifies that a TLS server
provides a OCSP response that is not expired and reports a good (non-revoked) certificate status.
The script is largely based on check_ssl_certificate
by David Alden.
Default Behaviour
By default, check_ocsp_stapling
begins to warn when the stapled OCSP response
is valid for less than 36 hours from the current time and will go to a critical
state at less than 24 hours.
These values can be changed using the -w
and -c
command-line options. To
find an appropriate value for your CA, observe the Last Update and Next Update
values the CA uses in their OCSP responses. Publicly-trusted CAs may use a
maximum expiration time of ten days and should update their OCSP responses at
least every four days (as of version 1.3.5 of the CA/B Forum Baseline
Requirements).
Sample Configuration
Nagios
define host {
use generic-host
host_name example.com
alias Some Remote Host
address example.com
}
define command {
name check_ocsp_stapling
command_name check_ocsp_stapling
command_line /path/to/nagios/plugins/check_ocsp_stapling -H $HOSTADDRESS$ $ARG1$
}
define service {
use generic-service
host_name example.com
service_description example.com OCSP Stapling
check_command check_ocsp_stapling
# to use any of the optional arguments, use this syntax:
# check_command check_ocsp_stapling!-w 48
}
Icinga
object Host "example.com" {
address = "example.com"
# to use any of the optional arguments, use this syntax:
# vars.port = 443
# vars.warning = 240
}
object CheckCommand "check_ocsp_stapling" {
command = [ PluginDir + "/check_ocsp_stapling" ]
arguments = {
"-H" = "$address$"
"-a" = "$add$"
"-c" = "$critical$"
"-w" = "$warning$"
"-p" = "$port$"
}
}
object Service "example.com OCSP Stapling" {
host_name = "example.com"
check_command = "check_ocsp_stapling"
}
Usage
Usage: check_ocsp_stapling -H [-p ] [-c ] [-w ]
-a add the text to the openssl line, used for checking OCSP stapling
with starttls ("-a '-starttls smtp'")
-c exit with CRITICAL status if number of hours left is less than
-h show this help script
-H check OCSP stapling on the indicated host
-o path to openssl binary
-p check OCSP stapling on the specified port
-w exit with WARNING status if number of hours left is less than
-V show version and license information
Issues
Please report any issues you might encounter on GitHub. Pull requests are welcome!