>One of the most important things that an IT pro has to do is make sure the SSL certs for his sites don’t expire. It’s one of those weird little things that seems to fall through the cracks way too often. Happily, Zabbix can help keep track of this and make sure we take care of it.
For the record, I heavily borrowed this idea from http://aperto.fr/cms/en/15-blog-en/15-ssl-certificate-expiration-monitoring-with-zabbix.html, keeping the vast majority of his technical operation, and primarily changed how Zabbix is executing the check.
Step 1 – the script:
[root@sfo-it-zabbix-prod-01 ~]# cat /etc/zabbix/scripts/ssl_check.sh
end_date=`openssl s_client -host $host -port $port -showcerts /dev/null |
sed -n ‘/BEGIN CERTIFICATE/,/END CERT/p’ |
openssl x509 -text 2>/dev/null |
sed -n ‘s/ *Not After : *//p’`
if [ -n “$end_date” ]
end_date_seconds=`date ‘+%s’ –date “$end_date”`
echo “($end_date_seconds-$now_seconds)/24/3600” | bc
This script takes a hostname as input, and looks up the associated SSL certificate using openssl. Example usage is:
[root@sfo-it-zabbix-prod-01 ~]# /etc/zabbix/scripts/ssl_check.sh http://www.gmail.com
The SSL Certificate for http://www.gmail.com expires in 176 days.
Now we add this as a custom parameter to Zabbix.
Step 2 – adding to zabbix_agentd.conf
More information about creating custom checks in Zabbix can be found at http://www.zabbix.com/documentation/1.8/manual/config/user_parameters
Step 3 – setting up the Zabbix GUI
Since this will only change once per day, we really only care about checking it once every 24 hours, or 86400 seconds.