- Create a Template in zabbix for ssl certificate check
2. Create a conf. file at /etc/zabbix/zabbix_agentd.d/
touch Userparameter_ssl_checker.conf /etc/zabbix/zabbix_agentd.d/
3. Insert custom key and command in Userparameter_ssl_checker.conf file
vi Userparameter_ssl_checker.conf
UserParameter=httpsSsl_status_CertCheckValid, /opt/https_ssl_cert_check.sh valid status.nipa.cloud 443 UserParameter=httpsSsl_status_CertCheckExpire, /opt/https_ssl_cert_check.sh expire status.nipa.cloud 443
4. The format for creating a custom key is Userparameter={key_name},{command} and the key will store the result of the command.
UserParameter={key_name},{command}
UserParameter=httpsSsl_status_CertCheckValid, /opt/https_ssl_cert_check.sh valid status.nipa.cloud 443
When run . /opt/https_ssl_cert_check.sh valid status.nipa.cloud 443, the result returns 0 for invalid and 1 for valid ssl certificate
4.1. Note that https_ssl_cert_check.sh requires two input and it will give a numeric output
. /opt/https_ssl_cert_check.sh valid {URL_without_https} {port} < check validation of ssl cert which returns 0 (invalid) or 1 (valid)
. /opt/https_ssl_cert_check.sh expire {URL_without_https} {port} < check expire date of ssl cert which returns date (ex.390 days left)
5. create a script file for ssl certificate check and move it to /opt/
vi /opt/https_ssl_cert_check.sh
5.1 Insert code into https_ssl_cert_check.sh
#!/bin/bash default_check_timeout=3 error_code=-65535 function error_usage() { echo $error_code cat >&2 << EOF Usage: $(basename $0) expire|valid hostname port [check_timeout] Script checks SSL cerfificate expiration and validity for HTTPS. check_timeout is optional, default $default_check_timeout seconds. Output: * expire: * N number of days left before expiration, 0 or negative if expired * $error_code failed to get certificate * valid: * 1 valid * 0 invalid * $error_code failed to get certificate Return code is always 0, otherwise zabbix agent fails to get item value and triggres would not work. EOF exit 0 } function error() { echo $error_code; echo "ERROR: $@" >&2; exit 0; } function result() { echo "$1"; exit 0; } # Arguments check_type="$1" host="$2" port="$3" check_timeout="${4:-$default_check_timeout}" ssl_ca_path=/etc/ssl/certs # Check if required utilites exist for util in timeout openssl date; do which "$util" >/dev/null || error "Not found in \$PATH: $util" done # Check arguments [ "$#" -lt 3 ] && error_usage [ "$check_type" = "expire" -o "$check_type" = "valid" ] || error "Wrong check type. Should be one of: expire,valid" [[ "$port" =~ ^[0-9]+$ ]] || error "Port should be a number" [ "$port" -ge 1 -a "$port" -le 65535 ] || error "Port should be between 1 and 65535" [[ "$check_timeout" =~ ^[0-9]+$ ]] || error "Check timeout should be a number" # Get certificate output=$( echo \ | timeout "$check_timeout" openssl s_client -CApath "$ssl_ca_path" -servername "$host" -connect "$host":"$port" 2>/dev/null ) [ $? -ne 0 ] && error "Failed to get certificate" # Run checks if [ "$check_type" = "expire" ]; then expire_date=$( echo "$output" \ | openssl x509 -noout -dates \ | grep '^notAfter' | cut -d'=' -f2 ) expire_date_epoch=$(date -d "$expire_date" +%s) || error "Failed to get expire date" current_date_epoch=$(date +%s) days_left=$(( ($expire_date_epoch - $current_date_epoch)/(3600*24) )) result "$days_left" elif [ "$check_type" = "valid" ]; then verify_return_code=$( echo "$output" | egrep '^[ ]+Verify return code:' | tr -s ' ' | cut -d' ' -f5 ) [ "$verify_return_code" -eq 0 ] && result 1 || result 0 fi
6. Go to Zabbix GUI and Configuration >> template > SSL Check > items
7. Create an item and fill out the field of item_name and key for valid and expire keys
This picture shows the information for creating httpsSsl_status_CertCheckValid
This picture shows the information for creating httpsSsl_status_CertCheckExpire
8. Go to the host on zabbix GUI that you have added the .conf and script file and add SSL template
9. Restart zabbix agent on that host to make it accept newly added keys
systemctl restart zabbix-agent.service
10. Check Lastest data and status key to comfirm that zabbix agent is sending the data. Go to Monitoring > Lastest Data > {pick_host} > {pick_application > SSL}
11. Go to Zabbix GUI and Configuration >> template > SSL Check > Triggers
11.1 Create a new trigger and input name and expression as followed
This picture shows a trigger > if ssl certificate expire date is less than 30 days
This picture shows a trigger > if ssl certificate expire date is less than one day or expired
This picture shows a trigger > if the result of https_ssl_cert_check.sh fails to get data from the ssl certificate
This picture shows a trigger > if the https_ssl_cert_check.sh returns no data