SSL (TLS) certificates play a pivotal role in today’s infrastructure. Hence, it’s incumbent upon administrators to make sure they don’t expire and are timely renewed. This blog post will guide you on how to employ Zabbix for monitoring your websites against expiring SSL certificates.
No longer required in the latest versions of Zabbix are console scripts to monitor SSL certificate expiration, which used to be passed to Zabbix through the UserParameter. Zabbix Agent 2 now enables inspection of certificate details using the built-in WebCertificate plugin. This post will delve into the two methods for monitoring SSL certificate expiration on Zabbix.
Monitoring SSL Certificate Expiry Using WebCertificate Plugin on Zabbix
Zabbix Agent 2 includes an in-built WebCertificate plugin that enables you to verify the information of a website certificate. It is advisable to confirm that this agent version is installed on the host:
$ zabbix_agent2 -V
The WebCertificate plugin comes in handy when retrieving information about the certificate of a site directly from the console using the zabbix-get command:
$ zabbix_get -s 127.0.0.1 -k web.certificate.get[woshub.com,443]
The command should return a JSON object that contains the attributes of the certificate for the specified Web site.
A built-in template “Website certificate by Zabbix agent 2” is available in Zabbix. Use it to check the TLS/SSL certificate expiration date.
- Go to Configuration -> Hosts and add a new host with the website name;
- Create a new host group or select an existing one;
- Assign the template Website certificate by Zabbix agent 2;
- Specify the IP address or name of the Zabbix agent in the Interface section (in our example,
127.0.0.1
); - Then go to the Macros tab and click Inherited and host macros;
- In the
{$CERT.WEBSITE.HOSTNAME}
macro, specify the DNS name of the Web site whose certificate you want to check; - By default, a warning that an SSL Certificate is about to expire will be displayed 7 days before the expiration date. You can increase this value with a macro
{$CERT.EXPIRY.WARN}
; - If the website uses a TLS/SSL port other than 443, you can specify it using a macro
{$CERT.WEBSITE.PORT}
; - Save settings.
Zabbix now warns you when a site’s certificate is about to expire.
Monitor HTTPS Certificate Expiry with Script in Zabbix
You can use external scripts to retrieve certificate expiry information in previous versions of Zabbix. The openssl command line tool allows you to extract website certificate information.
Create a bash script file /usr/lib/zabbix/externalscripts/sslcert_expiration.sh with the following code:
#!/bin/bash
data=`echo | openssl s_client -servername $1 -connect $1:${2:-443} 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`
ssldate=`date -d "${data}" '+%s'`
nowdate=`date '+%s'`
diff="$((${ssldate}-${nowdate}))"
echo $((${diff}/24/3600))
Allow the script to run:
$ sudo chmod +x /usr/lib/zabbix/externalscripts/sslcert_expiration.sh
This script returns the number of days left until the certificate expires. Check that the script works correctly.
$ /usr/lib/zabbix/externalscripts/sslcert_expiration.sh woshub.com 443
The script returned that the site’s certificate is valid for the next 79 days.
It’s necessary to grant permission to the Zabbix Agent to execute this bespoke bash script via the UserParameter parameter.
rel="nofollow" target="_blank">$ sudo mcedit /etc/zabbix/zabbix_agent2.conf
Include:
UserParameter=sslcertexpire[*],/usr/lib/zabbix/externalscripts/sslcert_expiration.sh $1 $2
Restart the agent:
$ sudo service zabbix-agent2 restart
Check that the Zabbix agent can receive data via the new parameter. You can use the zabbix-get command to test the agent’s response:
$ zabbix_get -s 127.0.0.1 -p 10050 -k sslcertexpire[woshub.com,443]
Now add a new template CheckSSLCertExpiration to monitor the expiration of HTTPS certificates in Zabbix.
In the Items tab, add a parameter
Name: Remaining SSL cert validity {$DOMAINNAME}
Type: Zabbix Agent
Key: sslcertexpire[{$DOMAINNAME},{$SSL_PORT}]
Type of information: Numeric (unsigned)
Update Interval: 1d
History: 90d
Trend: 365d
Then add a new trigger:
Name: The SSL certificate for {$DOMAINNAME} is about to expire
Expression: last(/CheckSSLCertExpiration/sslcertexpire[{$DOMAINNAME},{$SSL_PORT}])<20
Severity: High
This trigger will generate an alert if there are less than 20 days left before the SSL certificate expires.
You can include a recovery trigger parameter:
Recovery expression: last(/CheckSSLCertExpiration/sslcertexpire[{$DOMAINNAME},{$SSL_PORT}])>20
Then, introduce a new host to Zabbix for your website featuring an Agent interface type.
Under the Macros section, integrate two parameters: the server name as well as the port at which the SSL certificate inspection is required:
- Macro:
{$DOMAINNAME}
- Value:
woshub.com
and
- Macro:
{$SSL_PORT}
- Value:
443
Assign the previously created CheckSSLCertExpiration template to the host.
Now check the Latest Data. Zabbix shows that the site’s SSL certificate will expire in 79 days.
To notify the administrator that the SSL Certificate needs to be renewed soon, you can enable email or messenger notifications.