Zabbix Fun – Tracking SSL Certificate Expiration Times

>One of the most important things that an IT pro has to do is make sure the SSL certs for his sites don’t expire. It’s one of those weird little things that seems to fall through the cracks way too often. Happily, Zabbix can help keep track of this and make sure we take care of it.

For the record, I heavily borrowed this idea from http://aperto.fr/cms/en/15-blog-en/15-ssl-certificate-expiration-monitoring-with-zabbix.html, keeping the vast majority of his technical operation, and primarily changed how Zabbix is executing the check.

Step 1 – the script:

[root@sfo-it-zabbix-prod-01 ~]# cat /etc/zabbix/scripts/ssl_check.sh 
#!/usr/bin/env bash
host=$1
port=443
end_date=`openssl s_client -host $host -port $port -showcerts /dev/null |
          sed -n ‘/BEGIN CERTIFICATE/,/END CERT/p’ |
          openssl x509 -text 2>/dev/null |
          sed -n ‘s/ *Not After : *//p’`


if [ -n “$end_date” ]
then
    end_date_seconds=`date ‘+%s’ –date “$end_date”`
    now_seconds=`date ‘+%s’`
    echo “($end_date_seconds-$now_seconds)/24/3600” | bc
fi


This script takes a hostname as input, and looks up the associated SSL certificate using openssl. Example usage is:

[root@sfo-it-zabbix-prod-01 ~]# /etc/zabbix/scripts/ssl_check.sh http://www.gmail.com
176


The SSL Certificate for http://www.gmail.com expires in 176 days.


Now we add this as a custom parameter to Zabbix.


Step 2 – adding to zabbix_agentd.conf


UserParameter=cert_check[*],/etc/zabbix/scripts/ssl_check.sh $1


More information about creating custom checks in Zabbix can be found at http://www.zabbix.com/documentation/1.8/manual/config/user_parameters

Step 3 – setting up the Zabbix GUI

Since this will only change once per day, we really only care about checking it once every 24 hours, or 86400 seconds.

So now we’re collecting data.  If you look at the overview for the box your zabbix server (or wherever you wrote this script and applied the template to), you should see something similar to:
And that’s cool. BUT, how do we get Zabbix to send us info if our certificates are getting close to expiring? The answer is TRIGGERS.
Information on Zabbix triggers is available at http://www.zabbix.com/documentation/1.8/manual/config/triggers. I created three alert levels. 
1. If the certificate is within 30 days of expiring, a standard level alert is sent out.
2. If the certificate is within 7 days of expiring, a high level alert is sent out.
3. If a certificate expires, a Disaster level alert is sent out.
And there you have it. Zabbix is now keeping an eye on our SSL Certificates, and will scream at us loudly to make sure we don’t let it expire.

5 thoughts on “Zabbix Fun – Tracking SSL Certificate Expiration Times

  1. #!/bin/bash
    port=443
    endDate=$(echo | openssl s_client -connect $HOSTNAME:443 2>/dev/null | openssl x509 -noout -enddate | cut -c10-)
    # Code after if statement only runs if $endDate variable has a non-zero length. Tested with endDate=
    if [[ -n $endDate ]]
    then
    endDateSeconds=$(date ‘+%s’ –date “$endDate”)
    nowSeconds=$(date ‘+%s’)
    secUntilExpire=$(expr $endDateSeconds – $nowSeconds)
    hoursUntilExpire=$(expr $secUntilExpire / 3600)
    daysUntilExpire=$(expr $hoursUntilExpire / 24)
    echo $daysUntilExpire
    fi

    1. Also, your Average trigger definition should be >7 instead of >8 otherwise you will not get a trigger to go off when the expiration is within 8 days. Your definition skips 8.

Something to Add?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s