Special Offer

Zabbix Monitoring Course Discount $11.99
https://www.udemy.com/course/zabbix-monitoring/?couponCode=607976806882D016D221
Offer expires in hours. Be quick and share with your friends and colleagues.

Special Offer

Grafana Course Discount $13.99
https://www.udemy.com/course/grafana-tutorial/?couponCode=D04B41D2EF297CC83032
Offer expires in hours. Be quick and share with your friends and colleagues.

Special Offer

Prometheus Course Discount $9.99
https://www.udemy.com/course/prometheus/?couponCode=EB3123B9535131F1237F
Offer expires in hours. Be quick and share with your friends and colleagues.

Special Offer

Threejs Course Discount $9.99
https://www.udemy.com/course/threejs-tutorials/?couponCode=416F66CD4614B1E0FD02
Offer expires in hours. Be quick and share with your friends and colleagues.

Check SSL Certificate Expiry on Websites using Custom Script and system.run

Video Lecture

Description

In this lesson I use the agent running on my Zabbix Server to monitor days remaining before SSL expiry by creating a custom script and executing it using the system.run item key option.

You can use any linux agent you desire to run this script.

Note

• Zabbix Agents pre 5.02. In the zabbix_agentd.conf for the remote host, add EnableRemoteCommands=1 and then restart the agent process.

• Zabbix Agents 5.0 and 5.01. Comment out the DenyKey parameter which blocks system.run by default, add EnableRemoteCommands=1 and then restart the agent process.

• Zabbix Agents 5.02 and later. Either,

  • Comment out the DenyKey and add AllowKey=system.run[*]

  • or Comment out the DenyKey and add EnableRemoteCommands=1 (EnableRemoteCommands is now deprecated so it is no longer recommended and will eventually stop working as versions are updated)

See Restricting agent checks for more info.

To get the version of the agent,

sudo zabbix_agentd -V

CD to your /home/zabbix folder

cd /home/zabbix

Then create the script on your server,

sudo nano checkssl.sh

data=`echo | openssl s_client -servername $1 -connect $1:${2:-443} 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`

ssldate=`date -d "${data}" '+%s'`

nowdate=`date '+%s'`

diff="$((${ssldate}-${nowdate}))"

echo $((${diff}/86400))

Save it, and give it execute permissions.

sudo chmod a+x checkssl.sh

Test that it works using

./checkssl.sh example.com

or

./checkssl.sh example.com 443

Adding port 443 is optional and default. You can put any port here in case you certificate was bound to a different port, eg 3000 or 8443

or use any other domain name rather than example.com

Then go into zabbix and create items that call this script for each website ssl you want to monitor.

Example item key is

system.run[/home/zabbix/checkssl.sh example.com 443]

Since the expiry days can go negative, I advise you use the numeric(float) option in the type of information drop down.

Visit Monitoring-->Latest Data to see the values.

Centos 7

You may get the message python cannot execute file [Errno 13] Permission denied

You can disable selinux

sudo nano /etc/selinux/config

set SELINUX=disabled

Save, reboot

sudo reboot now

Check

sestatus

Restart zabbix agent if it was not auto started.

/bin/systemctl restart zabbix-agent.service

Test the item again using Zabbix UI test button in the host item form.

Useful Links

Zabbix Agent Items

Restricting Agent Checks