Check SSL Certificate Expiry on Websites using Custom Script and system.run
Video Lecture
Description
In this lesson I use the agent running on my Zabbix Server to monitor days remaining before SSL expiry by creating a custom script and executing it using the system.run item key option.
You can use any linux agent you desire to run this script.
Note
-
Zabbix Agents pre 5.02. In the zabbix_agentd.conf for the remote host, add EnableRemoteCommands=1 and then restart the agent process.
-
Zabbix Agents 5.0 and 5.01. Comment out the DenyKey parameter which blocks system.run by default, add EnableRemoteCommands=1 and then restart the agent process.
-
Zabbix Agents 5.02 and later. Either,
-
Comment out the DenyKey and add AllowKey=system.run[*]
-
or Comment out the DenyKey and add EnableRemoteCommands=1 (EnableRemoteCommands is now deprecated so it is no longer recommended and will eventually stop working as versions are updated)
-
See Restricting agent checks for more info.
To get the version of the agent,
1 | |
CD to your /home/zabbix folder
1 | |
Then create the script on your server,
1 | |
1 2 3 4 5 6 7 8 9 | |
Save it, and give it execute permissions.
1 | |
Test that it works using
1 | |
or
1 | |
Adding port 443 is optional and default. You can put any port here in case you certificate was bound to a different port, eg 3000 or 8443
or use any other domain name rather than example.com
Then go into zabbix and create items that call this script for each website ssl you want to monitor.
Example item key is
system.run[/home/zabbix/checkssl.sh example.com 443]
Since the expiry days can go negative, I advise you use the numeric(float) option in the type of information drop down.
Visit Monitoring-->Latest Data to see the values.
Centos 7
You may get the message python cannot execute file [Errno 13] Permission denied
You can disable selinux
1 | |
SELINUX=disabled
Save, reboot
1 | |
Check
1 | |
Restart zabbix agent if it was not auto started.
1 | |
Test the item again using Zabbix UI test button in the host item form.