Check SSL Certificate Expiry on Websites using Custom Script and system.run

Video Lecture

Check SSL Certificate Expiry on Websites using Custom Script and system.run Check SSL Certificate Expiry on Websites using Custom Script and system.run Check SSL Certificate Expiry on Websites using Custom Script and system.run

Description

In this lecture I use the agent running on my Zabbix Server to monitor days remaining before SSL expiry by creating a custom script and executing it using the system.run item key option.

You can use any linux agent you desire to run this script.

Open the agents config file and set

EnableRemoteCommands=1

then save and restart the agent process

Note

For pre Zabbix 5.02. In the zabbix_agentd.conf for the remote host, add EnableRemoteCommands=1 and then restart the agent process.

In Zabbix 5.0 and 5.01, you will also need to comment out the DenyKey parameter which blocks system.run by default, and then restart the agent process.

In Zabbix 5.02 and later, you can ignore EnableRemoteCommands=1 since it is now deprecated, and you should use a combination of DenyKey and AllowKey to fine tune the scripts you want to deny/allow.

See Restricting agent checks for more info.

CD to your /home/zabbix folder

1
cd /home/zabbix

Then create the script on your server,

1
2
3
4
5
6
7
8
9
data=`echo | openssl s_client -servername $1 -connect $1:${2:-443} 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`

ssldate=`date -d "${data}" '+%s'`

nowdate=`date '+%s'`

diff="$((${ssldate}-${nowdate}))"

echo $((${diff}/86400))

Save it as checkssl.sh and give it execute permissions.

1
sudo chmod a+x checkssl.sh

Test that it works using

1
./checkssl.sh example.com

or

1
./checkssl.sh example.com 443

Adding port 443 is optional and default. You can put any port here in case you certificate was bound to a different port, eg 3000 or 8443

or use any other domain name rather than example.com

Then go into zabbix and create items that call this script for each website ssl you want to monitor.

Example item key is

system.run[/home/zabbix/checkssl.sh example.com 443]

Since the expiry days can go negative, I advise you use the numeric(float) option in the type of information drop down.

Visit Monitoring-->Latest Data to see the values.

Zabbix Agent Items

Restricting Agent Checks