A Nagios-compatible plugin that checks SSL/TLS certificate expiry, built on the same OpenSSL logic as cck.
| Exit code | State | Meaning |
|---|---|---|
| 0 | OK | Certificate is valid and not expiring soon |
| 1 | WARNING | Certificate expires within -w days |
| 2 | CRITICAL | Certificate expires within -c days, or is already expired |
| 3 | UNKNOWN | Connection failed, file missing, parse error |
SSL CERT OK - example.com:443 expires 2026-07-01 (in 35 days) | days_remaining=35;30;14;0;
SSL CERT WARNING - example.com:443 expires 2025-06-15 (WARNING: in 19 days) | days_remaining=19;30;14;0;
SSL CERT CRITICAL - example.com:443 certificate EXPIRED on 2025-01-01 (147 days ago) | days_remaining=-147;30;14;0;
SSL CERT UNKNOWN - example.com:443 connection failed (port 443 unreachable?) | days_remaining=U;0;0;0;
Performance data (days_remaining=VALUE;warn;crit;0;) is compatible with PNP4Nagios, Graphite, and Nagios Graph.
- C11 compiler (clang or gcc)
- OpenSSL 1.1+ or 3.x
brew install openssl # macOS
apt install libssl-dev # Debian/Ubuntu
dnf install openssl-devel # Fedora/RHELmake
make install # → /usr/local/nagios/libexec/check_cck_ssl
make install PLUGINDIR=/usr/lib/nagios/plugins # custom pathcheck_cck_ssl -H <host> [-p <port>] [-w <days>] [-c <days>]
check_cck_ssl -f <cert.pem> [-w <days>] [-c <days>]
Options:
-H <host> Hostname to connect to via TLS
-p <port> Port (default: 443)
-f <file> PEM certificate file to check instead of a live host
-w <days> Warning threshold in days (default: 30)
-c <days> Critical threshold in days (default: 14)
-h Show help
# Check a live host
./check_cck_ssl -H example.com
./check_cck_ssl -H example.com -p 8443 -w 60 -c 30
# Check a local PEM file
./check_cck_ssl -f /etc/ssl/certs/my-service.pem -w 30 -c 14
# PEM chains: worst cert across the chain determines the status
./check_cck_ssl -f /etc/nginx/ssl/fullchain.pemCopy nagios.cfg (or the relevant sections) into your Nagios configuration directory, then reload:
sudo cp nagios.cfg /etc/nagios3/conf.d/cck_ssl.cfg
sudo nagios -v /etc/nagios3/nagios.cfg # verify
sudo service nagios3 reloaddefine command {
command_name check_ssl_cert
command_line $USER1$/check_cck_ssl -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$
}
define command {
command_name check_ssl_cert_file
command_line $USER1$/check_cck_ssl -f $ARG1$ -w $ARG2$ -c $ARG3$
}
define service {
use generic-service
host_name example.com
service_description SSL Certificate
check_command check_ssl_cert!30!14
check_interval 60 ; check every hour
notification_interval 1440 ; re-notify daily
}
See nagios.cfg for more complete examples including custom ports and file-based checks.
make testRuns tests/smoke.sh against the compiled plugin binary: 27 tests covering exit codes, output format, performance data, chain certs, and live TLS.