SSL (TLS) certificates play a pivotal role in today’s infrastructure. Hence, it’s incumbent upon administrators to make sure they don’t expire and are timely renewed. This blog post will guide you on how to employ Zabbix for monitoring your websites against expiring SSL certificates.<\/p>\n<\/p>\n
No longer required in the latest versions of Zabbix are console scripts to monitor SSL certificate expiration, which used to be passed to Zabbix through the UserParameter<\/strong>. Zabbix Agent 2 now enables inspection of certificate details using the built-in WebCertificate plugin<\/strong>. This post will delve into the two methods for monitoring SSL certificate expiration on Zabbix.<\/p>\n<\/p>\n Zabbix Agent 2 includes an in-built WebCertificate plugin that enables you to verify the information of a website certificate. It is advisable to confirm that this agent version is installed on the host:<\/p>\n<\/p>\n The WebCertificate plugin comes in handy when retrieving information about the certificate of a site directly from the console using the zabbix-get command:<\/p>\n<\/p>\n The command should return a JSON object that contains the attributes of the certificate for the specified Web site.<\/p>\n<\/p>\n A built-in template \u201cWebsite certificate by Zabbix agent 2\u201d is available in Zabbix. Use it to check the TLS\/SSL certificate expiration date.<\/p>\n<\/p>\n Zabbix now warns you when a site\u2019s certificate is about to expire.<\/p>\n<\/p>\n You can use external scripts to retrieve certificate expiry information in previous versions of Zabbix. The openssl command line tool allows you to extract website certificate information.<\/p>\n<\/p>\n Create a bash script file \/usr\/lib\/zabbix\/externalscripts\/sslcert_expiration.sh<\/strong> with the following code:<\/p>\n<\/p>\n #!\/bin\/bash<\/p> data=`echo | openssl s_client -servername $1 -connect $1:${2:-443} 2>\/dev\/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`<\/p> ssldate=`date -d \"${data}\" '+%s'`<\/p> nowdate=`date '+%s'`<\/p> diff=\"$((${ssldate}-${nowdate}))\"<\/p> echo $((${diff}\/24\/3600))<\/p> <\/pre>\n<\/p>\n Allow the script to run:<\/p>\n<\/p>\n This script returns the number of days left until the certificate expires. Check that the script works correctly.<\/p>\n<\/p>\n The script returned that the site\u2019s certificate is valid for the next 79 days.<\/p>\n<\/p>\n It’s necessary to grant permission to the Zabbix Agent to execute this bespoke bash script via the UserParameter<\/strong> parameter.<\/p>\n Include:<\/p>\nMonitoring SSL Certificate Expiry Using WebCertificate Plugin on Zabbix<\/h2>\n<\/p>\n
$ zabbix_agent2 -V<\/code><\/p>\n<\/p>\n$ zabbix_get -s 127.0.0.1 -k web.certificate.get[woshub.com,443]<\/code><\/p>\n<\/p>\n\n
127.0.0.1<\/code>);<\/li>\n{$CERT.WEBSITE.HOSTNAME}<\/code> macro, specify the DNS name of the Web site whose certificate you want to check;<\/li>\n{$CERT.EXPIRY.WARN}<\/code> ;<\/li>\n{$CERT.WEBSITE.PORT}<\/code> ;<\/li>\nMonitor HTTPS Certificate Expiry with Script in Zabbix<\/h2>\n<\/p>\n
<\/p>
$ sudo chmod +x \/usr\/lib\/zabbix\/externalscripts\/sslcert_expiration.sh<\/code><\/p>\n<\/p>\n$ \/usr\/lib\/zabbix\/externalscripts\/sslcert_expiration.sh woshub.com 443<\/code><\/p>\n<\/p>\nrel=\"nofollow\" target=\"_blank\">$ sudo mcedit \/etc\/zabbix\/zabbix_agent2.conf<\/code><\/p>\nUserParameter=sslcertexpire[*],\/usr\/lib\/zabbix\/externalscripts\/sslcert_expiration.sh $1 $2<\/pre>\n<\/p>\n