This plugin provides native SSL instrumentation for monitoring, including: hostname and chain verification, cert expiry, and Qualys SSL Labs reporting


Build Status Gem Version Code Climate Test Coverage Dependency Status



  • bin/check-java-keystore-cert.rb
  • bin/check-ssl-anchor.rb
  • bin/check-ssl-crl.rb
  • bin/check-ssl-cert.rb
  • bin/check-ssl-host.rb
  • bin/check-ssl-hsts-preload.rb
  • bin/check-ssl-hsts-preloadable.rb
  • bin/check-ssl-qualys.rb



Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).

./bin/check-ssl-anchor.rb -u -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"


Checks a CRL has not or is not expiring by inspecting it's next update value.

You can check against a CRL file on disk:

./bin/check-ssl-crl -c 300 -w 600 -u /path/to/crl

or an online CRL:

./bin/check-ssl-crl -c 300 -w 600 -u

Critical and Warning thresholds are specified in minutes.


Checks the ssllabs qualysis api for grade of your server, this check can be quite long so it should not be scheduled with a low interval and will probably need to adjust the check timeout options per the check attributes spec based on my tests you should expect this to take around 3 minutes.

./bin/check-ssl-qualys.rb -d


Installation and Setup


To run the testing suite, you'll need to have a working ruby environment, gem, and bundler installed. We use rake to run the rspec tests automatically.

bundle install
bundle update
bundle exec rake


bin/check-ssl-anchor.rb and bin/check-ssl-host.rb would be good to run in combination with each other to test that the chain is anchored to a specific certificate and each certificate in the chain is correctly signed.

Get Integration


10 stars on GitHub
11 open issues on GitHub
31 open forks on GitHub

Sensu Integrations

Sensu integrations and extensions are available for dozens of modern applications and services.