How to Monitor Website SSL/TLS Certificate Expiration using Zabbix

SSL (TLS) certificates play a pivotal role in today’s infrastructure. Hence, it’s incumbent upon administrators to make sure they don’t expire and are timely renewed. This blog post will guide you on how to employ Zabbix for monitoring your websites against expiring SSL certificates.

No longer required in the latest versions of Zabbix are console scripts to monitor SSL certificate expiration, which used to be passed to Zabbix through the UserParameter. Zabbix Agent 2 now enables inspection of certificate details using the built-in WebCertificate plugin. This post will delve into the two methods for monitoring SSL certificate expiration on Zabbix.

Monitoring SSL Certificate Expiry Using WebCertificate Plugin on Zabbix

Zabbix Agent 2 includes an in-built WebCertificate plugin that enables you to verify the information of a website certificate. It is advisable to confirm that this agent version is installed on the host:

$ zabbix_agent2 -V

The WebCertificate plugin comes in handy when retrieving information about the certificate of a site directly from the console using the zabbix-get command:

$ zabbix_get -s -k web.certificate.get[,443]

The command should return a JSON object that contains the attributes of the certificate for the specified Web site.

A built-in template “Website certificate by Zabbix agent 2” is available in Zabbix. Use it to check the TLS/SSL certificate expiration date.

  1. Go to Configuration -> Hosts and add a new host with the website name;
  2. Create a new host group or select an existing one;
  3. Assign the template Website certificate by Zabbix agent 2;
  4. Specify the IP address or name of the Zabbix agent in the Interface section (in our example,;
  5. Then go to the Macros tab and click Inherited and host macros;
  6. In the {$CERT.WEBSITE.HOSTNAME} macro, specify the DNS name of the Web site whose certificate you want to check;
  7. By default, a warning that an SSL Certificate is about to expire will be displayed 7 days before the expiration date. You can increase this value with a macro {$CERT.EXPIRY.WARN} ;
  8. If the website uses a TLS/SSL port other than 443, you can specify it using a macro {$CERT.WEBSITE.PORT} ;
  9. Save settings.

Zabbix now warns you when a site’s certificate is about to expire.

Monitor HTTPS Certificate Expiry with Script in Zabbix

You can use external scripts to retrieve certificate expiry information in previous versions of Zabbix. The openssl command line tool allows you to extract website certificate information.

Create a bash script file /usr/lib/zabbix/externalscripts/ with the following code:


data=`echo | openssl s_client -servername $1 -connect $1:${2:-443} 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`

ssldate=`date -d "${data}" '+%s'`

nowdate=`date '+%s'`


echo $((${diff}/24/3600))

Allow the script to run:

$ sudo chmod +x /usr/lib/zabbix/externalscripts/

This script returns the number of days left until the certificate expires. Check that the script works correctly.

$ /usr/lib/zabbix/externalscripts/ 443

The script returned that the site’s certificate is valid for the next 79 days.

It’s necessary to grant permission to the Zabbix Agent to execute this bespoke bash script via the UserParameter parameter.

rel="nofollow" target="_blank">$ sudo mcedit /etc/zabbix/zabbix_agent2.conf


UserParameter=sslcertexpire[*],/usr/lib/zabbix/externalscripts/ $1 $2

Using a script in UserParameter, you can also check the expiration date of a domain in Zabbix.

Restart the agent:

$ sudo service zabbix-agent2 restart

Check that the Zabbix agent can receive data via the new parameter. You can use the zabbix-get command to test the agent’s response:

$ zabbix_get -s -p 10050 -k sslcertexpire[,443]

Now add a new template CheckSSLCertExpiration to monitor the expiration of HTTPS certificates in Zabbix.

In the Items tab, add a parameter

Name: Remaining SSL cert validity {$DOMAINNAME}

Type: Zabbix Agent

Key: sslcertexpire[{$DOMAINNAME},{$SSL_PORT}]

Type of information: Numeric (unsigned)

Update Interval: 1d

History: 90d

Trend: 365d

Then add a new trigger:

Name: The SSL certificate for {$DOMAINNAME} is about to expire

Expression: last(/CheckSSLCertExpiration/sslcertexpire[{$DOMAINNAME},{$SSL_PORT}])<20

Severity: High

This trigger will generate an alert if there are less than 20 days left before the SSL certificate expires.

You can include a recovery trigger parameter:

Recovery expression: last(/CheckSSLCertExpiration/sslcertexpire[{$DOMAINNAME},{$SSL_PORT}])>20

Then, introduce a new host to Zabbix for your website featuring an Agent interface type.

Under the Macros section, integrate two parameters: the server name as well as the port at which the SSL certificate inspection is required:

  • Macro: {$DOMAINNAME}
  • Value:


  • Macro: {$SSL_PORT}
  • Value: 443

Assign the previously created CheckSSLCertExpiration template to the host.

Now check the Latest Data. Zabbix shows that the site’s SSL certificate will expire in 79 days.

To notify the administrator that the SSL Certificate needs to be renewed soon, you can enable email or messenger notifications.