check_ssl_cert_icinga2.conf

object CheckCommand "ssl_cert_extended" {
	import "plugin-check-command"

	command = [ PluginDir + "/check_ssl_cert.sh" ]

	arguments = {
		"--file" = {
			value = "$ssl_cert_extended_file$"
			description = "Local file path or URI. With -f you can not only pass a x509 certificate file but also a certificate revocation list (CRL) to check the validity period or a Java KeyStore file"
		}

		"--host" = {
			value = "$ssl_cert_extended_host$"
			description = "Server"
		}

		"--noauth" = {
			set_if = "$ssl_cert_extended_noauth$"
			description = "Ignore authority warnings (expiration only)"
		}

		"--all" = {
			set_if = "$ssl_cert_extended_all$"
			description = "Enable all the possible optional checks at the maximum level"
		}

		"--all-local" = {
			set_if = "$ssl_cert_extended_all_local$"
			description = "Enable all the possible optional checks at the maximum level (without SSL-Labs)"
		}

		"--allow-empty-san" = {
			set_if = "$ssl_cert_extended_allow_empty_san$"
			description = "Allow certificates without Subject Alternative Names (SANs)"
		}

		"--clientcert" = {
			value = "$ssl_cert_extended_clientcert$"
			description = "Use client certificate to authenticate"
		}

		"--critical" = {
			value = "$ssl_cert_extended_critical$"
			description = "Minimum number of days a certificate has to be valid to issue a critical status. Can be a floating point number, e.g., 0.5 Default: 15"
		}

		"--check-chain" = {
			set_if = "$ssl_cert_extended_check_chain$"
			description = "The certificate chain cannot contain double or root certificates"
		}

		"--check-ciphers" = {
			value = "$ssl_cert_extended_check_ciphers$"
			description = "Check the offered ciphers"
		}

		"--check-ciphers-warnings" = {
			set_if = "$ssl_cert_extended_check_ciphers_warnings$"
			description = "Critical if nmap reports a warning for an offered cipher"
		}

		"--check-http-headers" = {
			set_if = "$ssl_cert_extended_check_http_headers$"
			description = "Check the HTTP headers for best practices"
		}

		"--check-ssl-labs-warn" = {
			value = "$ssl_cert_extended_check_ssl_labs_warn$"
			description = "SSL Labs grade on which to warn"
		}

		"--clientpass" = {
			value = "$ssl_cert_extended_clientpass$"
			description = "Set passphrase for client certificate."
		}

		"--configuration" = {
			value = "$ssl_cert_extended_configuration$"
			description = "Read options from the specified file"
		}

		"--crl" = {
			set_if = "$ssl_cert_extended_crl$"
			description = "Check revocation via CRL (requires --rootcert-file)"
		}

		"--curl-bin" = {
			value = "$ssl_cert_extended_curl_bin$"
			description = "Path of the curl binary to be used"
		}

		"--custom-http-header" = {
			value = "$ssl_cert_extended_custom_http_header$"
			description = "Custom HTTP header sent when getting the cert example: 'X-Check-Ssl-Cert: Foobar=1'"
		}

		"--default-format" = {
			set_if = "$ssl_cert_extended_default_format$"
			description = "Print the default output format and exit"
		}

		"--dane" = {
			set_if = "$ssl_cert_extended_dane$"
			description = "Verify that valid DANE records exist (since OpenSSL 1.1.0)"
		}

		"--dane 211" = {
			set_if = "$ssl_cert_extended_dane_211$"
			description = "Verify that a valid DANE-TA(2) SPKI(1) SHA2-256(1) TLSA record exists"
		}

		"--dane 301" = {
			set_if = "$ssl_cert_extended_dane_301$"
			description = "Verify that a valid DANE-EE(3) Cert(0) SHA2-256(1) TLSA record exists"
		}

		"--dane 302" = {
			set_if = "$ssl_cert_extended_dane_302$"
			description = "Verify that a valid DANE-EE(3) Cert(0) SHA2-512(2) TLSA record exists"
		}

		"--dane 311" = {
			set_if = "$ssl_cert_extended_dane_311$"
			description = "Verify that a valid DANE-EE(3) SPKI(1) SHA2-256(1) TLSA record exists"
		}

		"--dane 312" = {
			set_if = "$ssl_cert_extended_dane_312$"
			description = "Verify that a valid DANE-EE(3) SPKI(1) SHA2-512(1) TLSA record exists"
		}

        "--date" = {
            set_if = "$ssl_cert_extended_date$"
            description = "Path of the date binary to be used"
        }

		"--debug" = {
			set_if = "$ssl_cert_extended_debug$"
			description = "Produce debugging output (can be specified more than once)"
		}

		"--debug-cert" = {
			set_if = "$ssl_cert_extended_debug_cert$"
			description = "Store the retrieved certificates in the current directory"
		}

		"--debug-headers" = {
			set_if = "$ssl_cert_extended_debug_headers$"
			description = "Store the retrieved HTLM headers in the headers.txt file"
		}

		"--debug-file" = {
			value = "$ssl_cert_extended_debug_file$"
			description = "Write the debug messages to file"
		}

		"--debug-time" = {
			set_if = "$ssl_cert_extended_debug_time$"
			description = "Write timing information in the debugging output"
		}

		"--dig-bin" = {
			value = "$ssl_cert_extended_dig_bin$"
			description = "Path of the dig binary to be used"
		}

		"--do-not-resolve" = {
			set_if = "$ssl_cert_extended_do_not_resolve$"
			description = "Do not check if the host can be resolved"
		}

		"--dtls" = {
			set_if = "$ssl_cert_extended_dtls$"
			description = "Use the DTLS protocol"
		}

		"--dtls1" = {
			set_if = "$ssl_cert_extended_dtls1$"
			description = "Use the DTLS protocol 1.0"
		}

		"--dtls1_2" = {
			set_if = "$ssl_cert_extended_dtls1_2$"
			description = "Use the DTLS protocol 1.2"
		}

		"--email" = {
			value = "$ssl_cert_extended_email$"
			description = "Pattern to match the email address contained in the certificate"
		}

		"--ecdsa" = {
			set_if = "$ssl_cert_extended_ecdsa$"
			description = "Signature algorithm selection: force ECDSA certificate"
		}

		"--element" = {
			value = "$ssl_cert_extended_element$"
			description = "Check up to the N cert element from the beginning of the chain"
		}

		"--file-bin" = {
			value = "$ssl_cert_extended_file_bin$"
			description = "Path of the file binary to be used"
		}

		"--fingerprint" = {
			value = "$ssl_cert_extended_fingerprint$"
			description = "Pattern to match the fingerprint"
		}

		"--fingerprint-alg" = {
			value = "$ssl_cert_extended_fingerprint_alg$"
			description = "Algorithm for fingerprint. Default sha1"
		}

        "--first-element-only" = {
			set_if = "$ssl_cert_extended_first_element_only$"
			description = "Verify just the first cert element, not the whole chain"
		}

		"--force-dconv-date" = {
			set_if = "$ssl_cert_extended_force_dconv_date$"
			description = "Force the usage of dconv for date computations"
		}

		"--force-perl-date" = {
			set_if = "$ssl_cert_extended_force_perl_date$"
			description = "Force the usage of dconv for date computations"
		}

		"--force-perl-date" = {
			set_if = "$ssl_cert_extended_force_perl_date$"
			description = "Force the usage of Perl for date computations"
		}

		"--format" = {
			value = "$ssl_cert_extended_format$"
			description = "Format output template on success, for example: '%SHORTNAME% OK %CN% from %CA_ISSUER_MATCHED%' list of possible variables: - %CA_ISSUER_MATCHED% - %CHECKEDNAMES% - %CN% - %DATE% - %DAYS_VALID% - %DYSPLAY_CN% - %HOST% - %OCSP_EXPIRES_IN_HOURS% - %OPENSSL_COMMAND% - %PORT% - %SELFSIGNEDCERT% - %SHORTNAME% - %SIGALGO% - %SSL_LABS_HOST_GRADE% See --default-format for the default"
		}

		"--grep-bin" = {
			value = "$ssl_cert_extended_grep_bin$"
			description = "Path of the grep binary to be used"
		}

		"--http-headers-path" = {
			value = "$ssl_cert_extended_http_headers_path$"
			description = "The path to be used to fetch HTTP headers"
		}

		"--http-use-get" = {
			set_if = "$ssl_cert_extended_http_use_get$"
			description = "Use GET instead of HEAD (default) for the HTTP related checks"
		}

		"--issuer" = {
			value = "$ssl_cert_extended_issuer$"
			description = "Pattern to match the issuer of the certificate"
		}

		"--ignore-altnames" = {
			set_if = "$ssl_cert_extended_ignore_altnames$"
			description = "Ignore alternative names when matching pattern specified in -n (or the host name)"
		}

		"--ignore-connection-problems" = {
			set_if = "$ssl_cert_extended_ignore_connection_problems$"
			description = "[state] In case of connection problems returns OK or the optional state"
		}

		"--ignore-exp" = {
			set_if = "$ssl_cert_extended_ignore_exp$"
			description = "Ignore expiration date"
		}

		"--ignore-http-headers" = {
			set_if = "$ssl_cert_extended_ignore_http_headers$"
			description = "Ignore checks on HTTP headers with --all and --all-local"
		}

		"--ignore-host-cn" = {
			set_if = "$ssl_cert_extended_ignore_host_cn$"
			description = "Do not complain if the CN does not match the host name"
		}

		"--ignore-incomplete-chain" = {
			set_if = "$ssl_cert_extended_ignore_incomplete_chain$"
			description = "Do not check chain integrity"
		}

		"--ignore-maximum-validity" = {
			set_if = "$ssl_cert_extended_ignore_maximum_validity$"
			description = "Ignore the certificate maximum validity"
		}

		"--ignore-ocsp" = {
			set_if = "$ssl_cert_extended_ignore_ocsp$"
			description = "Do not check revocation with OCSP"
		}

		"--ignore-ocsp-errors" = {
			set_if = "$ssl_cert_extended_ignore_ocsp_errors$"
			description = "Continue if the OCSP status cannot be checked"
		}

		"--ignore-ocsp-timeout" = {
			set_if = "$ssl_cert_extended_ignore_ocsp_timeout$"
			description = "Ignore OCSP result when timeout occurs while checking"
		}

		"--ignore-sct" = {
			set_if = "$ssl_cert_extended_ignore_sct$"
			description = "Do not check for signed certificate timestamps (SCT)"
		}

		"--ignore-sig-alg" = {
			set_if = "$ssl_cert_extended_ignore_sig_alg$"
			description = "Do not check if the certificate was signed with SHA1 or MD5"
		}

		"--ignore-ssl-labs-cache" = {
			set_if = "$ssl_cert_extended_ignore_ssl_labs_cache$"
			description = "Force a new check by SSL Labs (see -L)"
		}

		"--ignore-ssl-labs-errors" = {
			set_if = "$ssl_cert_extended_ignore_ssl_labs_errors$"
			description = "Ignore errors if SSL Labs is not accessible or times out"
		}

		"--ignore-tls-renegotiation" = {
			set_if = "$ssl_cert_extended_ignore_tls_renegotiation$"
			description = "Ignore the TLS renegotiation check"
		}

        "--ignore-unexpected-eof" = {
            set_if = "$ssl_cert_extended_ignore_unexpected_eof$"
			description = "Ignore unclean TLS shutdowns"
		}

		"--inetproto" = {
			value = "$ssl_cert_extended_inetproto$"
			description = "Force IP version 4 or 6"
		}

		"--info" = {
			set_if = "$ssl_cert_extended_info$"
			description = "Print certificate information"
		}

		"--init-host-cache" = {
			set_if = "$ssl_cert_extended_init_host_cache$"
			description = "Initialize the host cache"
		}

		"--issuer-cert-cache" = {
			value = "$ssl_cert_extended_issuer_cert_cache$"
			description = "Directory where to store issuer certificates cache"
		}

		"--jks-alias" = {
			value = "$ssl_cert_extended_jks_alias$"
			description = "Alias name of the Java KeyStore entry (requires --file)"
		}

		"--clientkey" = {
			value = "$ssl_cert_extended_clientkey$"
			description = "Use client certificate key to authenticate"
		}

		"--check-ssl-labs" = {
			value = "$ssl_cert_extended_check_ssl_labs$"
			description = "SSL Labs assessment (please check https://www.ssllabs.com/about/terms.html)"
		}

		"--long-output" = {
			value = "$ssl_cert_extended_long_output$"
			description = "Append the specified comma separated (no spaces) list of attributes to the plugin output on additional lines Valid attributes are: enddate, startdate, subject, issuer, modulus, serial, hash, email, ocsp_uri and fingerprint. 'all' will include all the available attributes."
		}

		"--match" = {
			value = "$ssl_cert_extended_match$"
			description = "Pattern to match the CN or AltName (can be specified multiple times)"
		}

		"--maximum-validity" = {
			value = "$ssl_cert_extended_maximum_validity$"
			description = "The maximum validity of the certificate must not exceed 'days' (default 397) This check is automatic for HTTPS"
		}

		"--nmap-bin" = {
			value = "$ssl_cert_extended_nmap_bin$"
			description = "Path of the nmap binary to be used"
		}

		"--nmap-with-proxy" = {
			value = "$ssl_cert_extended_nmap_with_proxy$"
			description = "Allow nmap to be used with a proxy"
		}

		"--no-perf" = {
			set_if = "$ssl_cert_extended_no_perf$"
			description = "Do not show performance data"
		}

		"--no-proxy" = {
			set_if = "$ssl_cert_extended_no_proxy$"
			description = "Ignore the http_proxy and https_proxy environment variables"
		}

		"--no-proxy-curl" = {
			set_if = "$ssl_cert_extended_no_proxy_curl$"
			description = "Ignore the http_proxy and https_proxy environment variables for curl"
		}

		"--no-proxy-s_client" = {
			set_if = "$ssl_cert_extended_no_proxy_s_client$"
			description = "Ignore the http_proxy and https_proxy environment variables for openssl s_client"
		}

		"--no-ssl2" = {
			set_if = "$ssl_cert_extended_no_ssl2$"
			description = "Disable SSL version 2"
		}

		"--no-ssl3" = {
			set_if = "$ssl_cert_extended_no_ssl3$"
			description = "Disable SSL version 3"
		}

		"--no-tls1" = {
			set_if = "$ssl_cert_extended_no_tls1$"
			description = "Disable TLS version 1"
		}

		"--no-tls1_1" = {
			set_if = "$ssl_cert_extended_no_tls1_1$"
			description = "Disable TLS version 1.1"
		}

        "--no-tls1_2" = {
			set_if = "$ssl_cert_extended_no_tls1_2$"
			description = "Disable TLS version 1.2"
		}

		"--no-tls1_3" = {
			set_if = "$ssl_cert_extended_no_tls1_3$"
			description = "Disable TLS version 1.3"
		}

		"--not-issued-by" = {
			value = "$ssl_cert_extended_not_issued_by$"
			description = "Check that the issuer of the certificate does not match the given pattern"
		}

		"--not-valid-longer-than" = {
			value = "$ssl_cert_extended_not_valid_longer_than$"
			description = "Critical if the certificate validity is longer than the specified period"
		}

		"--org" = {
			value = "$ssl_cert_extended_org$"
			description = "Pattern to match the organization of the certificate"
		}

		"--ocsp-critical" = {
			value = "$ssl_cert_extended_ocsp_critical$"
			description = "Minimum number of hours an OCSP response has to be valid to issue a critical status"
		}

		"--ocsp-warning" = {
			value = "$ssl_cert_extended_ocsp_warning$"
			description = "Minimum number of hours an OCSP response has to be valid to issue a warning status"
		}

		"--openssl" = {
			value = "$ssl_cert_extended_openssl$"
			description = "Path of the openssl binary to be used"
		}

		"--path" = {
			value = "$ssl_cert_extended_path$"
			description = "Set the PATH variable to 'path'"
		}

		"--port" = {
			value = "$ssl_cert_extended_port$"
			description = "TCP port (default 443)"
		}

		"--precision" = {
			value = "$ssl_cert_extended_precision$"
			description = "Number of decimal places for durations:defaults to 0 if critical or warning are integers, 2 otherwise"
		}

		"--protocol" = {
			value = "$ssl_cert_extended_protocol$"
			description = "Use the specific protocol: dns, ftp, ftps, http, https (default), h2 (HTTP/2), imap, imaps, irc, ircs, ldap, ldaps, mysql, pop3, pop3s, postgres, sieve, smtp, smtps, tds, xmpp, xmpp-server. ftp, imap, irc, ldap, pop3, postgres, sieve, smtp: switch to TLS using StartTLS"
		}

		"--password" = {
			value = "$ssl_cert_extended_password$"
			description = "Password source for a local certificate, see the PASS PHRASE ARGUMENTS section openssl(1)"
		}

		"--prometheus" = {
			set_if = "$ssl_cert_extended_prometheus$"
			description = "Generate Prometheus/OpenMetrics output"
		}

		"--proxy" = {
			value = "$ssl_cert_extended_proxy$"
			description = "Set http_proxy and the s_client -proxy option"
		}

		"--python-bin" = {
			value = "$ssl_cert_extended_python_bin$"
			description = "Path of the python binary to be used"
		}

		"--quic" = {
			set_if = "$ssl_cert_extended_quic$"
			description = "Use QUIC"
		}

        "--quiet" = {
			set_if = "$ssl_cert_extended_quiet$"
			description = "Do not produce any output"
		}

		"--rootcert" = {
			value = "$ssl_cert_extended_rootcert$"
			description = "Root certificate or directory to be used for certificate validation"
		}

		"--require-client-cert" = {
			value = "$ssl_cert_extended_require_client_cert$"
			description = "The server must accept a client certificate. 'list' is an optional comma separated list of expected client certificate CAs"
		}

		"--require-dnssec" = {
			set_if = "$ssl_cert_extended_require_dnssec$"
			description = "Require DNSSEC"
		}

		"--require-http-header" = {
			value = "$ssl_cert_extended_require_http_header$"
			description = "Require the specified HTTP header (e.g., X-Frame-Options)"
		}

		"--require-no-http-header" = {
			value = "$ssl_cert_extended_require_no_http_header$"
			description = "Require the absence of the specified HTTP header (e.g., X-Powered-By)"
		}

		"--require-no-ssl2" = {
			set_if = "$ssl_cert_extended_require_no_ssl2$"
			description = "Critical if SSL version 2 is offered"
		}

		"--require-no-ssl3" = {
			set_if = "$ssl_cert_extended_require_no_ssl3$"
			description = "Critical if SSL version 3 is offered"
		}

		"--require-no-tls1" = {
			set_if = "$ssl_cert_extended_require_no_tls1$"
			description = "Critical if TLS 1 is offered"
		}

		"--require-no-tls1_1" = {
			set_if = "$ssl_cert_extended_require_no_tls1_1$"
			description = "Critical if TLS 1.1 is offered"
		}

		"--require-ocsp-stapling" = {
			set_if = "$ssl_cert_extended_require_ocsp_stapling$"
			description = "Require OCSP stapling"
		}

		"--require-purpose" = {
			value = "$ssl_cert_extended_require_purpose$"
			description = "Require the specified key usage (can be specified more then once)"
		}

		"--require-purpose-critical" = {
			set_if = "$ssl_cert_extended_require_purpose_critical$"
			description = "The key usage must be critical"
		}

		"--resolve" = {
			value = "$ssl_cert_extended_resolve$"
			description = "Provide a custom IP address for the specified host"
		}

        "--resolve-over-http" = {
			value = "$ssl_cert_extended_resolve_over_http$"
			description = "Resolve the host over HTTP using Google or the specified server"
		}

		"--rootcert-dir" = {
			value = "$ssl_cert_extended_rootcert_dir$"
			description = "Root directory to be used for certificate validation"
		}

		"--rootcert-file" = {
			value = "$ssl_cert_extended_rootcert_file$"
			description = "Root certificate to be used for certificate validation"
		}

		"--rsa" = {
			set_if = "$ssl_cert_extended_rsa$"
			description = "Signature algorithm selection: force RSA certificate"
		}

		"--security-level" = {
			value = "$ssl_cert_extended_security_level$"
			description = "Set the security level to specified value See SSL_CTX_set_security_level(3) for a description of what each level means"
		}

		"--selfsigned" = {
			set_if = "$ssl_cert_extended_selfsigned$"
			description = "Allow self-signed certificates"
		}

		"--serial" = {
			value = "$ssl_cert_extended_serial$"
			description = "Pattern to match the serial number"
		}

		"--skip-element" = {
			value = "$ssl_cert_extended_skip_element$"
			description = "Skip checks on the Nth cert element (can be specified multiple times)"
		}

		"--sni" = {
			value = "$ssl_cert_extended_sni$"
			description = "Set the TLS SNI (Server Name Indication) extension in the ClientHello message to 'name'"
		}

		"--ssl2" = {
			set_if = "$ssl_cert_extended_ssl2$"
			description = "Force SSL version 2"
		}

		"--ssl3" = {
			set_if = "$ssl_cert_extended_ssl3$"
			description = "Force SSL version 3"
		}

		"--timeout" = {
			value = "$ssl_cert_extended_timeout$"
			description = "Timeout after the specified time (defaults to 120 seconds)"
		}

		"--temp" = {
			value = "$ssl_cert_extended_temp$"
			description = "Directory where to store the temporary files"
		}

		"--terse" = {
			set_if = "$ssl_cert_extended_terse$"
			description = "Terse output"
		}

		"--tls1" = {
			set_if = "$ssl_cert_extended_tls1$"
			description = "Force TLS version 1"
		}

		"--tls1_1" = {
			set_if = "$ssl_cert_extended_tls1_1$"
			description = "Force TLS version 1.1"
		}

		"--tls1_2" = {
			set_if = "$ssl_cert_extended_tls1_2$"
			description = "Force TLS version 1.2"
		}

		"--tls1_3" = {
			set_if = "$ssl_cert_extended_tls1_3$"
			description = "Force TLS version 1.3"
		}

		"--url" = {
			value = "$ssl_cert_extended_url$"
			description = "HTTP request URL"
		}

		"--user-agent" = {
			value = "$ssl_cert_extended_user_agent$"
			description = "User agent that shall be used for HTTPS connections"
		}

        "--verbose" = {
			set_if = "$ssl_cert_extended_verbose$"
			description = "Verbose output (can be specified more than once)"
		}

		"--warning" = {
			value = "$ssl_cert_extended_warning$"
			description = "Minimum number of days a certificate has to be valid to issue a warning status. Can be a floating point number, e.g., 0.5 Default: 20"
		}

        "--xmpphost" = {
			value = "$ssl_cert_extended_xmpphost$"
			description = " Specify the host for the 'to' attribute of the stream element"
		}

		"-4" = {
			set_if = "$ssl_cert_extended_4$"
			description = "Force IPv4"
		}

		"-6" = {
			set_if = "$ssl_cert_extended_6$"
			description = "Force IPv6"
		}
	}

	vars.ssl_cert_extended_warning = 30
	vars.ssl_cert_extended_critical = 14
        vars.ssl_cert_extended_require_no_ssl2	= true
        vars.ssl_cert_extended_require_no_ssl3	= true
        vars.ssl_cert_extended_require_no_tls1	= true
        vars.ssl_cert_extended_require_no_tls1_1 = true
}