Simple SSL Certificate Expiry Monitoring in Zabbix

Posted on by Leave a comment

To monitor SSL certificate expiry dates in Zabbix, a simple SSH script will execute the SSL certificate check and update the date. SSL expires at various times and it can be quite hard to manage. Zabbix HTTPS Certificate Monitoring is available with zabbix-agent2 that works without any external scripts but if you want to continue with our existing zabbix agent, the below simple script is advisable with single items.

SSL Certificate Expiry Monitoring

Login to your Zabbix agent host SSH.

Go to /etc/zabbix/zabbix_agentd.conf.d directory which is the common for zabbix and named the file checkssl.sh

$sudo vim  checkssl.sh
data=`echo | openssl s_client -servername $1 -connect $1:443 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`

ssldate=`date -d "${data}" '+%s'`
nowdate=`date '+%s'`
diff="$((${ssldate}-${nowdate}))"

echo $((${diff}/86400))

then give it execute permissions.

$ sudo chmod 755 checkssl.sh

then test SSL certificate expiry for various websites we manage, and also many others. 

For example,

$ ./checkssl.sh cloudkb.net
$ ./checkssl.sh github.com

The command should return a number indicating how many days are left before the SSL certificate expires.

Check SSL Expire date

This script can be called any way you like for the particular use case. Now, Let us enable “EnableRemoteCommands=1” in /etc/zabbix/zabbix_agentd.conf

$ sudo vim /etc/zabbix/zabbix_agentd.conf

And set EnableRemoteCommands=1

Restart the Zabbix agent

$ sudo systemctl restart zabbix-agent

How to configure in Zabbix Server?

Let us open zabbix server web page and configure the host items.

Configuration -> Select Hosts -> Click Items, and then press the Create Item button to get the new item configuration.

And fill in the details as seen in this image.

Zabbix SSL Check Item

For example, System run settings.

Key : system.run[/etc/zabbix/zabbix_agentd.conf.d/checkssl.sh localhost]

Or 

Key : system.run[/etc/zabbix/zabbix_agentd.conf.d/checkssl.sh <your_website>]

Type of information: Numeric (float)

After saving, select the new item you created, and press the Test button.

Then Goto, Monitoring -> Host -> Latest Data and filter for the host you added the item to, and after “Update Interval” which you configured should see a new property appear somewhere in the list titled SSL Check.

Now you can configure the triggers to alert when the expiry days remain below 30 days or whatever you decide is important.

Example,

Zabbix SSL check Triggers

You can copy the existing trigger and modify the date that you want. Update your comments if you have any troubles.

Use the below SSL Certificate Expire check in Zabbix Template.

simple-SSL-checkDownload

Related Posts:

More about Gopalakrishnan S
Written by: Gopalakrishnan S on November 1, 2022.
Last revised by:

Categories: Uncategorized