Check SSL certificate validity, including CA chain, with Nagios

I don't have any experience with it but it looks like the check_ssl_cert plugin does what you are looking for.

Excerpt from the author's site:

check_ssl_cert is a Nagios plugin to check the CA and validity of an X.509 certificate

I can't find a plugin that tests it, either, but it would be very easy to wrap some random GPLed plugin's guts around an openssl one-liner. Here's a one-liner comparing the output from two of my servers; www has an Equifax certificate on it, nagios is self-signed:

[madhatter@anni ~]$ echo "" | openssl s_client -connect nagios.teaparty.net:443 |& grep "verify error"
verify error:num=18:self signed certificate
[madhatter@anni ~]$ echo $?
0
[madhatter@anni ~]$

and

[madhatter@anni ~]$ echo "" | openssl s_client -connect www.teaparty.net:443 |& grep "verify error"
[madhatter@anni ~]$ echo $?
1
[madhatter@anni ~]$

note the nice, easy-to-test change in the exit status of grep, depending on whether or not it finds the "verify error" string.

How's that?

I've attempted to create a Nagios check to verify the chain order base on this method, but this method doesn't seem to work with Debian without changes. You should use:

echo "" | openssl s_client -showcerts -connect example.com:443 -CApath /etc/ssl/certs/ |& grep "verify error"

Furthermore, this does not work when the chain is in the wrong order, but still is present entirely.

You would say the order doesn't really care, as long as the intermediates are in the right order, but some systems require the root CA to be present, and some systems don't.