Check SSL Certificate Expiry on Websites using Custom Script and system.run

Video Lecture

Check SSL Certificate Expiry on Websites using Custom Script and system.run Check SSL Certificate Expiry on Websites using Custom Script and system.run Check SSL Certificate Expiry on Websites using Custom Script and system.run

Description

In this lesson I use the agent running on my Zabbix Server to monitor days remaining before SSL expiry by creating a custom script and executing it using the system.run item key option.

You can use any linux agent you desire to run this script.

Note

  • Zabbix Agents pre 5.02. In the zabbix_agentd.conf for the remote host, add EnableRemoteCommands=1 and then restart the agent process.

  • Zabbix Agents 5.0 and 5.01. Comment out the DenyKey parameter which blocks system.run by default, add EnableRemoteCommands=1 and then restart the agent process.

  • Zabbix Agents 5.02 and later. Either,

    • Comment out the DenyKey and add AllowKey=system.run[*]

    • or Comment out the DenyKey and add EnableRemoteCommands=1 (EnableRemoteCommands is now deprecated so it is no longer recommended and will eventually stop working as versions are updated)

See Restricting agent checks for more info.

To get the version of the agent,

sudo zabbix_agentd -V

CD to your /home/zabbix folder

1
cd /home/zabbix

Then create the script on your server,

1
sudo nano checkssl.sh
1
2
3
4
5
6
7
8
9
data=`echo | openssl s_client -servername $1 -connect $1:${2:-443} 2>/dev/null | openssl x509 -noout -enddate | sed -e 's#notAfter=##'`

ssldate=`date -d "${data}" '+%s'`

nowdate=`date '+%s'`

diff="$((${ssldate}-${nowdate}))"

echo $((${diff}/86400))

Save it, and give it execute permissions.

1
sudo chmod a+x checkssl.sh

Test that it works using

1
./checkssl.sh example.com

or

1
./checkssl.sh example.com 443

Adding port 443 is optional and default. You can put any port here in case you certificate was bound to a different port, eg 3000 or 8443

or use any other domain name rather than example.com

Then go into zabbix and create items that call this script for each website ssl you want to monitor.

Example item key is

system.run[/home/zabbix/checkssl.sh example.com 443]

Since the expiry days can go negative, I advise you use the numeric(float) option in the type of information drop down.

Visit Monitoring-->Latest Data to see the values.

Centos 7

You may get the message python cannot execute file [Errno 13] Permission denied

You can disable selinux

1
sudo nano /etc/selinux/config

set SELINUX=disabled

Save, reboot

1
sudo reboot now

Check

1
sestatus

Restart zabbix agent if it was not auto started.

1
/bin/systemctl restart zabbix-agent.service

Test the item again using Zabbix UI test button in the host item form.

Zabbix Agent Items

Restricting Agent Checks