Context
There is no dedicated plugin for inspecting X.509 certificates from live
endpoints. xca-cert is database-bound (XCA-managed MySQL/MariaDB) and does
not connect to a TLS endpoint. A generic cert plugin closes that gap and
follows CONTRIBUTING's "one tool, one task" guideline by isolating certificate
semantics from HTTP behaviour.
Scope
Plugin cert with a pluggable source via --source:
--source url (initial deliverable): connect to a TLS endpoint, run a TLS
handshake using lib.url, extract the server certificate and the chain.--source file, --source p12, --source jks: out of scope for this
issue, but the plugin must be designed so they can be added later without
renaming.
Parameters (initial --source url):
--always-ok, --insecure, --timeout--url, --sni-hostname, --ca-file, --client-cert, --client-key--warning, --critical: Nagios ranges over days remaining until
notAfter. Defaults 14: warn and 5: crit.
Checks:
- Days remaining until
notAfter against --warning and --critical.
- Hostname match against the URL host. Mismatch produces WARN.
- Chain verification against the system trust store or
--ca-file. Default
on, switched off via --insecure.
Output:
- Default: subject CN, days remaining, verification verdict.
--lengthy: subject, issuer, serial, signature algorithm, key type and
size, SANs, notBefore, notAfter, SHA-256 fingerprint.
Perfdata: cert_days_left, tls_handshake_time.
Dependencies
Linuxfabrik/lib#137 (TLS version selection and timing telemetry).cryptography (already transitive).
Reference
xca-cert for threshold style and README structure.- CONTRIBUTING "Threshold and Ranges" for days-remaining semantics.
example plugin for structure.
Classification
New plugin. Enhancement.
Context
There is no dedicated plugin for inspecting X.509 certificates from live
endpoints.
xca-certis database-bound (XCA-managed MySQL/MariaDB) and doesnot connect to a TLS endpoint. A generic
certplugin closes that gap andfollows CONTRIBUTING's "one tool, one task" guideline by isolating certificate
semantics from HTTP behaviour.
Scope
Plugin
certwith a pluggable source via--source:--source url(initial deliverable): connect to a TLS endpoint, run a TLShandshake using
lib.url, extract the server certificate and the chain.--source file,--source p12,--source jks: out of scope for thisissue, but the plugin must be designed so they can be added later without
renaming.
Parameters (initial
--source url):--always-ok,--insecure,--timeout--url,--sni-hostname,--ca-file,--client-cert,--client-key--warning,--critical: Nagios ranges over days remaining untilnotAfter. Defaults14:warn and5:crit.Checks:
notAfteragainst--warningand--critical.--ca-file. Defaulton, switched off via
--insecure.Output:
--lengthy: subject, issuer, serial, signature algorithm, key type andsize, SANs, notBefore, notAfter, SHA-256 fingerprint.
Perfdata:
cert_days_left,tls_handshake_time.Dependencies
Linuxfabrik/lib#137(TLS version selection and timing telemetry).cryptography(already transitive).Reference
xca-certfor threshold style and README structure.exampleplugin for structure.Classification
New plugin. Enhancement.