sensu-plugins-ssl 2.0.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b181365f3bc51a19d52e1eb96ec33c24d29cd9ff14e2f87bb38bd14629ea4a19
-  data.tar.gz: 28a88e9032b84451e67c2f33d0b4d1dc0d09c569ed8611e2559d5ed11574e2c0
+  metadata.gz: 81a09f41b7a0220a938ceee8561f7433321376e5617e4c09fb65454476630d88
+  data.tar.gz: b0ecba81c6266494db6a0f8c9ecb50da9f8302bef75e6f5267ca6a79aa2c17b5
 SHA512:
-  metadata.gz: 04777162b9953ca6a60507367c6e755f99a73f8a9ea185b722d29039a67dfd68e68ee055d292f26d94f4a5842031167aaf04b38d167266aec2bdf92627763044
-  data.tar.gz: 1dcc031f2d8794fd983fd7bd749b550ff7b8e4442c85ce32d36ea2db1c945b3db3083bb347e6d57f1c34275594567e8b90cb05e79296ac6463be090646fb9bf9
+  metadata.gz: 7ba079ecb12548b22f684681ee0c077e965ac04a725623554a74b6fc45f009b1a72c3b1657d3ac69dbf58f213497bfee7b3e830dcc769c13c0eeb57fea9c56b9
+  data.tar.gz: 45ecf2194f83c759681b9e167a8c8d08e77a20e4691c2c432dc18b779bcd52d1b089fb148a758dd5a7f9e208cab6de8bf54e41a9c785de9eb5935d2155f3b22e

data/CHANGELOG.md

@@ -5,6 +5,25 @@ This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins
 
 ## [Unreleased]
 
+## [3.0.0] - 2020-08-27
+### Breaking Changes
+- Bump `sensu-plugin` dependency from `~> 1.2` to `~> 4.0` you can read the changelog entries for [4.0](https://github.com/sensu-plugins/sensu-plugin/blob/master/CHANGELOG.md#400---2018-02-17), [3.0](https://github.com/sensu-plugins/sensu-plugin/blob/master/CHANGELOG.md#300---2018-12-04), and [2.0](https://github.com/sensu-plugins/sensu-plugin/blob/master/CHANGELOG.md#v200---2017-03-29)
+- Remove ruby-2.3.0. Upgrade bundler. Fix failing tests (@phumpal).
+
+### Added
+- Travis build automation to generate Sensu Asset tarballs that can be used n conjunction with Sensu provided ruby runtime assets and the Bonsai Asset Index
+- Require latest sensu-plugin for [Sensu Go support](https://github.com/sensu-plugins/sensu-plugin#sensu-go-enablement)
+- New option to treat anchor argument as a regexp
+- New Check plugin `check-ssl-root-issuer.rb` with alternative logic for trust anchor verification.
+
+### Changed
+- `check-ssl-anchor.rb` uses regexp to test for present of certificates in cert chain that works with both openssl 1.0 and 1.1 formatting
+- Upgrade rake and rubocop dependencies
+- Remediate rubocop issues
+
+### Fixed
+- ssl-anchor test now uses regexp
+
 ## [2.0.1] - 2018-05-30
 ### Fixed
 - `check-ssl-qualys.rb`: Fixed typo and removed timeout `-t` short option replacing it with `--timeout` as per previous changelog. `-t` conflicts with the short option for `--time-between`
@@ -110,7 +129,8 @@ This CHANGELOG follows the format listed [here](https://github.com/sensu-plugins
 ### Added
 - initial release
 
-[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/2.0.1...HEAD
+[Unreleased]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/3.0.0...HEAD
+[3.0.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/2.0.1...3.0.0
 [2.0.1]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/2.0.0...2.0.1
 [2.0.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.5.0...2.0.0
 [1.5.0]: https://github.com/sensu-plugins/sensu-plugins-ssl/compare/1.4.0...1.5.0

data/README.md

@@ -5,7 +5,10 @@
 [![Code Climate](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/gpa.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
 [![Test Coverage](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl/badges/coverage.svg)](https://codeclimate.com/github/sensu-plugins/sensu-plugins-ssl)
 [![Dependency Status](https://gemnasium.com/sensu-plugins/sensu-plugins-ssl.svg)](https://gemnasium.com/sensu-plugins/sensu-plugins-ssl)
+[![Sensu Bonsai Asset](https://img.shields.io/badge/Bonsai-Download%20Me-brightgreen.svg?colorB=89C967&logo=sensu)](https://bonsai.sensu.io/assets/sensu-plugins/sensu-plugins-ssl)
 
+## Sensu Asset
+The Sensu assets packaged from this repository are built against the Sensu Ruby runtime environment. When using these assets as part of a Sensu Go resource (check, mutator or handler), make sure you include the corresponding Sensu Ruby runtime asset in the list of assets needed by the resource. The current ruby-runtime assets can be found [here](https://bonsai.sensu.io/assets/sensu/sensu-ruby-runtime) in the [Bonsai Asset Index](bonsai.sensu.io).
 ## Functionality
 
 ## Files
@@ -17,12 +20,13 @@
  * bin/check-ssl-hsts-preload.rb
  * bin/check-ssl-hsts-preloadable.rb
  * bin/check-ssl-qualys.rb
+ * bin/check-ssl-root-issuer.rb
 
 ## Usage
 
 ### `bin/check-ssl-anchor.rb`
 
-Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance).
+Check that a specific website is chained to a specific root certificate (Let's Encrypt for instance). Requires the `openssl` commandline tool to be available on the system.
 
 ```
 ./bin/check-ssl-anchor.rb -u example.com -a "i:/O=Digital Signature Trust Co./CN=DST Root CA X3"
@@ -53,6 +57,13 @@ Checks the ssllabs qualysis api for grade of your server, this check can be quit
 ./bin/check-ssl-qualys.rb -d google.com
 ```
 
+### `bin/check-ssl-root-issuer.rb`
+
+Check that a specific website is chained to a specific root certificate issuer. This is a pure Ruby implementation, does not require the openssl cmdline client tool to be installed.
+
+```
+./bin/check-ssl-root-issuer.rb -u example.com -a "CN=DST Root CA X3,O=Digital Signature Trust Co."
+```
 
 ## Installation
 

data/bin/check-java-keystore-cert.rb

@@ -1,4 +1,6 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-java-keystore-cert
 #
@@ -75,7 +77,7 @@ class CheckJavaKeystoreCert < Sensu::Plugin::Check::CLI
 
     days_until = (certificate_expiration_date - Date.today).to_i
 
-    if days_until < 0
+    if days_until < 0 # rubocop: disable Style/NumericPredicate
       critical "Expired #{days_until.abs} days ago"
     elsif days_until < config[:critical]
       critical "#{days_until} days left"

data/bin/check-ssl-anchor.rb

@@ -1,4 +1,6 @@
 #! /usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-ssl-anchor
 #
@@ -57,6 +59,14 @@ class CheckSSLAnchor < Sensu::Plugin::Check::CLI
          long: '--anchor ANCHOR_VAL',
          required: true
 
+  option :regexp,
+         description: 'Treat the anchor as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
   option :servername,
          description: 'Set the TLS SNI (Server Name Indication) extension',
          short: '-s',
@@ -79,7 +89,7 @@ class CheckSSLAnchor < Sensu::Plugin::Check::CLI
                 -servername #{config[:servername]} < /dev/null 2>&1`.match(/Certificate chain(.*)---\nServer certificate/m)[1].split(/$/).map(&:strip)
     data = data.reject(&:empty?)
 
-    unless data[0] =~ /0 s:\/CN=.*/m
+    unless data[0] =~ /0 s:\/?CN ?=.*/m
       data = 'NOTOK'
     end
     data
@@ -91,11 +101,22 @@ class CheckSSLAnchor < Sensu::Plugin::Check::CLI
     if data == 'NOTOK'
       critical 'An error was encountered while trying to retrieve the certificate chain.'
     end
-
-    if data[-1] == config[:anchor].to_s
-      ok 'Root anchor has been found.'
+    puts config[:regexp]
+    # rubocop:disable Style/IfInsideElse
+    if config[:regexp]
+      anchor_regexp = Regexp.new(config[:anchor].to_s)
+      if data[-1] =~ anchor_regexp
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match regexp /' + config[:anchor].to_s + "/\nFound \"" + data[-1] + '" instead.'
+      end
     else
-      critical 'Root anchor did not match. Found "' + data[-1] + '" instead.'
+      if data[-1] == config[:anchor].to_s
+        ok 'Root anchor has been found.'
+      else
+        critical 'Root anchor did not match string "' + config[:anchor].to_s + "\"\nFound \"" + data[-1] + '" instead.'
+      end
     end
+    # rubocop:enable Style/IfInsideElse
   end
 end

data/bin/check-ssl-cert.rb

@@ -1,4 +1,6 @@
 #! /usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-ssl-cert
 #
@@ -117,7 +119,7 @@ class CheckSSLCert < Sensu::Plugin::Check::CLI
 
     days_until = (Date.parse(expiry.to_s) - Date.today).to_i
 
-    if days_until < 0
+    if days_until < 0 # rubocop:disable Style/NumericPredicate
       critical "Expired #{days_until.abs} days ago"
     elsif days_until < config[:critical].to_i
       critical "#{days_until} days left"

data/bin/check-ssl-crl.rb

@@ -1,4 +1,6 @@
 #! /usr/bin/env ruby
+# frozen_string_literal: false
+
 #
 #   check-ssl-crl
 #
@@ -65,10 +67,10 @@ class CheckSSLCRL < Sensu::Plugin::Check::CLI
   def run
     validate_opts
 
-    next_update = OpenSSL::X509::CRL.new(open(config[:url]).read).next_update
+    next_update = OpenSSL::X509::CRL.new(open(config[:url]).read).next_update # rubocop:disable Security/Open
     minutes_until = seconds_to_minutes(Time.parse(next_update.to_s) - Time.now)
 
-    critical "#{config[:url]} - Expired #{minutes_until.abs} minutes ago" if minutes_until < 0
+    critical "#{config[:url]} - Expired #{minutes_until.abs} minutes ago" if minutes_until < 0 # rubocop:disable Style/NumericPredicate
     critical "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:critical].to_i
     warning "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}" if minutes_until < config[:warning].to_i
     ok "#{config[:url]} - #{minutes_until} minutes left, next update at #{next_update}"

data/bin/check-ssl-host.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
-# encoding: UTF-8
+# frozen_string_literal: false
+
 #  check-ssl-host.rb
 #
 # DESCRIPTION:
@@ -42,7 +43,7 @@ require 'socket'
 # Check SSL Host
 #
 class CheckSSLHost < Sensu::Plugin::Check::CLI
-  STARTTLS_PROTOS = %w(smtp imap).freeze
+  STARTTLS_PROTOS = %w[smtp imap].freeze
 
   check_name 'check_ssl_host'
 
@@ -104,7 +105,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
          long: '--starttls PROTO'
 
   def get_cert_chain(host, port, address, client_cert, client_key)
-    tcp_client = TCPSocket.new(address ? address : host, port)
+    tcp_client = TCPSocket.new(address ? address : host, port) # rubocop:disable Style/RedundantCondition
     handle_starttls(config[:starttls], tcp_client) if config[:starttls]
     ssl_context = OpenSSL::SSL::SSLContext.new
     ssl_context.cert = OpenSSL::X509::Certificate.new File.read(client_cert) if client_cert
@@ -139,6 +140,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
 
     status = socket.readline
     return if /^220 / =~ status
+
     critical "#{config[:host]} - did not receive SMTP 220 in response to STARTTLS"
   end
 
@@ -151,6 +153,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
 
     status = socket.readline
     return if /^a001 OK Begin TLS negotiation now/ =~ status
+
     critical "#{config[:host]} - did not receive OK Begin TLS negotiation now"
   end
 
@@ -158,7 +161,7 @@ class CheckSSLHost < Sensu::Plugin::Check::CLI
     # Expiry check
     days = (cert.not_after.to_date - Date.today).to_i
     message = "#{config[:host]} - #{days} days until expiry"
-    critical "#{config[:host]} - Expired #{days} days ago" if days < 0
+    critical "#{config[:host]} - Expired #{days} days ago" if days < 0 # rubocop:disable Style/NumericPredicate
     critical message if days < config[:critical]
     warning message if days < config[:warning]
     ok message

data/bin/check-ssl-hsts-preloadable.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
-# encoding: UTF-8
+# frozen_string_literal: false
+
 #  check-ssl-hsts-preloadable.rb
 #
 # DESCRIPTION:
@@ -43,16 +44,16 @@ class CheckSSLHSTSPreloadable < Sensu::Plugin::Check::CLI
          default: 'https://hstspreload.org/api/v2/preloadable'
 
   def fetch(uri, limit = 10)
-    if limit == 0
+    if limit == 0 # rubocop:disable Style/NumericPredicate
       return nil
     end
 
     response = Net::HTTP.get_response(uri)
 
     case response
-    when Net::HTTPSuccess then
+    when Net::HTTPSuccess
       response
-    when Net::HTTPRedirection then
+    when Net::HTTPRedirection
       location = URI(response['location'])
       fetch(location, limit - 1)
     end
@@ -65,6 +66,7 @@ class CheckSSLHSTSPreloadable < Sensu::Plugin::Check::CLI
     if response.nil?
       return warning 'Bad response recieved from API'
     end
+
     body = JSON.parse(response.body)
     if !body['errors'].empty?
       critical body['errors'].map { |u| u['summary'] }.join(', ')

data/bin/check-ssl-hsts-status.rb

@@ -1,5 +1,6 @@
 #!/usr/bin/env ruby
-# encoding: UTF-8
+# frozen_string_literal: false
+
 #  check-ssl-hsts-preload.rb
 #
 # DESCRIPTION:
@@ -33,7 +34,7 @@ require 'json'
 require 'net/http'
 
 class CheckSSLHSTSStatus < Sensu::Plugin::Check::CLI
-  STATUSES = %w(unknown pending preloaded).freeze
+  STATUSES = %w[unknown pending preloaded].freeze
 
   option :domain,
          description: 'The domain to run the test against',
@@ -61,16 +62,16 @@ class CheckSSLHSTSStatus < Sensu::Plugin::Check::CLI
          default: 'https://hstspreload.org/api/v2/status'
 
   def fetch(uri, limit = 10)
-    if limit == 0
+    if limit == 0 # rubocop:disable Style/NumericPredicate
       return nil
     end
 
     response = Net::HTTP.get_response(uri)
 
     case response
-    when Net::HTTPSuccess then
+    when Net::HTTPSuccess
       response
-    when Net::HTTPRedirection then
+    when Net::HTTPRedirection
       location = URI(response['location'])
       fetch(location, limit - 1)
     end
@@ -83,6 +84,7 @@ class CheckSSLHSTSStatus < Sensu::Plugin::Check::CLI
     if response.nil?
       return warning 'Bad response recieved from API'
     end
+
     body = JSON.parse(response.body)
     unless STATUSES.include? body['status']
       warning 'Invalid status returned ' + body['status']

data/bin/check-ssl-qualys.rb

@@ -1,5 +1,5 @@
 #!/usr/bin/env ruby
-# encoding: UTF-8
+# frozen_string_literal: false
 
 #  check-ssl-qualys.rb
 #
@@ -138,7 +138,8 @@ class CheckSSLQualys < Sensu::Plugin::Check::CLI
                ssl_check(true)
              end
       return json if json['status'] == 'READY'
-      if json['endpoints'] && json['endpoints'].is_a?(Array)
+
+      if json['endpoints'] && json['endpoints'].is_a?(Array) # rubocop:disable Style/SafeNavigation
         p "endpoints: #{json['endpoints']}" if config[:debug]
         # The api response sometimes has low eta (which seems unrealistic) from
         # my tests that can be 0 or low numbers which would imply it is done...

data/bin/check-ssl-root-issuer.rb

@@ -0,0 +1,128 @@
+#! /usr/bin/env ruby
+# frozen_string_literal: false
+
+#
+#   check-ssl-root-issuer
+#
+# DESCRIPTION:
+#   Check that a certificate is chained to a specific root certificate issuer
+#
+# OUTPUT:
+#   plain text
+#
+# PLATFORMS:
+#   Linux
+#
+# DEPENDENCIES:
+#   gem: sensu-plugin
+#
+# USAGE:
+#
+#   Check that a specific website is chained to a specific root certificate
+#       ./check-ssl-root-issuer.rb \
+#           -u https://example.com \
+#           -i "CN=DST Root CA X3,O=Digital Signature Trust Co."
+#
+# LICENSE:
+#   Copyright Jef Spaleta (jspaleta@gmail.com) 2020
+#   Released under the same terms as Sensu (the MIT license); see LICENSE
+#   for details.
+#
+
+require 'sensu-plugin/check/cli'
+require 'openssl'
+require 'uri'
+require 'net/http'
+require 'net/https'
+
+#
+# Check root certificate has specified issuer name
+#
+class CheckSSLRootIssuer < Sensu::Plugin::Check::CLI
+  option :url,
+         description: 'Url to check: Ex "https://google.com"',
+         short: '-u',
+         long: '--url URL',
+         required: true
+
+  option :issuer,
+         description: 'An X509 certificate issuer name, RFC2253 format Ex: "CN=DST Root CA X3,O=Digital Signature Trust Co."',
+         short: '-i',
+         long: '--issuer ISSUER_NAME',
+         required: true
+
+  option :regexp,
+         description: 'Treat the issuer name as a regexp',
+         short: '-r',
+         long: '--regexp',
+         default: false,
+         boolean: true,
+         required: false
+
+  option :format,
+         description: 'optional issuer name format.',
+         short: '-f',
+         long: '--format FORMAT_VAL',
+         default: 'RFC2253',
+         in: %w[RFC2253 ONELINE COMPAT],
+         required: false
+
+  def cert_name_format
+    # Note: because format argument is pre-validated by mixin 'in' logic eval is safe to use
+    eval "OpenSSL::X509::Name::#{config[:format]}" # rubocop:disable Security/Eval, Style/EvalWithLocation
+  end
+
+  def validate_issuer(cert)
+    issuer = cert.issuer.to_s(cert_name_format)
+    if config[:regexp]
+      issuer_regexp = Regexp.new(config[:issuer].to_s)
+      issuer =~ issuer_regexp
+    else
+      issuer == config[:issuer].to_s
+    end
+  end
+
+  def find_root_cert(uri)
+    root_cert = nil
+    http = Net::HTTP.new(uri.host, uri.port)
+    http.open_timeout = 10
+    http.read_timeout = 10
+    http.use_ssl = true
+    http.cert_store = OpenSSL::X509::Store.new
+    http.cert_store.set_default_paths
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+    http.verify_callback = lambda { |verify_ok, store_context|
+      root_cert = store_context.current_cert unless root_cert # rubocop:disable Style/OrAssignment
+      unless verify_ok
+        @failed_cert = store_context.current_cert
+        @failed_cert_reason = [store_context.error, store_context.error_string] if store_context.error != 0
+      end
+      verify_ok
+    }
+    http.start {}
+    root_cert
+  end
+
+  # Do the actual work and massage some data
+
+  def run
+    @fail_cert = nil
+    @failed_cert_reason = 'Unknown'
+    uri = URI.parse(config[:url])
+    critical "url protocol must be https, you specified #{url}" if uri.scheme != 'https'
+    root_cert = find_root_cert(uri)
+    if @failed_cert
+      msg = "Certificate verification failed.\n Reason: #{@failed_cert_reason}"
+      critical msg
+    end
+
+    if validate_issuer(root_cert)
+      msg = 'Root certificate in chain has expected issuer name'
+      ok msg
+    else
+      msg = "Root certificate issuer did not match expected name.\nFound: \"#{root_cert.issuer.to_s(config[:issuer_format])}\""
+      critical msg
+    end
+  end
+end

data/lib/sensu-plugins-ssl.rb

@@ -1 +1,3 @@
+# frozen_string_literal: true
+
 require 'sensu-plugins-ssl/version'

data/lib/sensu-plugins-ssl/version.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module SensuPluginsSSL
   module Version
-    MAJOR = 2
+    MAJOR = 3
     MINOR = 0
-    PATCH = 1
+    PATCH = 0
 
     VER_STRING = [MAJOR, MINOR, PATCH].compact.join('.')
   end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sensu-plugins-ssl
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Sensu-Plugins and contributors
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-31 00:00:00.000000000 Z
+date: 2020-08-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sensu-plugin
@@ -16,28 +16,28 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.2'
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '2.1'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '2.1'
 - !ruby/object:Gem::Dependency
   name: codeclimate-test-reporter
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '3.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1.3'
+        version: '3.0'
 - !ruby/object:Gem::Dependency
   name: pry
   requirement: !ruby/object:Gem::Requirement
@@ -86,14 +86,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '13.0'
 - !ruby/object:Gem::Dependency
   name: redcarpet
   requirement: !ruby/object:Gem::Requirement
@@ -128,55 +128,56 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: 0.89.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.40.0
+        version: 0.89.1
 - !ruby/object:Gem::Dependency
-  name: yard
+  name: timecop
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.8.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.8'
+        version: 0.8.0
 - !ruby/object:Gem::Dependency
-  name: timecop
+  name: yard
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '0.8'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.8.0
+        version: '0.8'
 description: |-
   This plugin provides native SSL instrumentation
                                 for monitoring, including: hostname and chain
                                 verification, cert and crl expiry, and Qualys SSL Labs reporting
 email: "<sensu-users@googlegroups.com>"
 executables:
-- check-java-keystore-cert.rb
-- check-ssl-anchor.rb
+- check-ssl-hsts-status.rb
+- check-ssl-root-issuer.rb
 - check-ssl-cert.rb
+- check-java-keystore-cert.rb
 - check-ssl-crl.rb
+- check-ssl-anchor.rb
 - check-ssl-host.rb
 - check-ssl-hsts-preloadable.rb
-- check-ssl-hsts-status.rb
 - check-ssl-qualys.rb
 extensions: []
 extra_rdoc_files: []
@@ -192,6 +193,7 @@ files:
 - bin/check-ssl-hsts-preloadable.rb
 - bin/check-ssl-hsts-status.rb
 - bin/check-ssl-qualys.rb
+- bin/check-ssl-root-issuer.rb
 - lib/sensu-plugins-ssl.rb
 - lib/sensu-plugins-ssl/version.rb
 homepage: https://github.com/sensu-plugins/sensu-plugins-ssl
@@ -212,15 +214,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.0.0
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.7
+rubygems_version: 3.0.8
 signing_key: 
 specification_version: 4
 summary: Sensu plugins for SSL