Zabbix – Monitoring SSL certificate expiry dates and alerting when it’s due to expire

Nowadays almost every website provides an encrypted way of communication between itself and end user. I would love to say it’s because web administrators these are concerned about their visitors’ data safety but, while that might also be true in some cases, browsers these days will show a big “ERRRR, SOMETHING’S WRONG!” warning message when we try to connect to a non-HTTPS website.

While obtaining the certificates is pretty much free nowadays (as long as we’re OK with the amount of trustworthiness we get by running a Let’s Encrypt! certificate) and some providers will even help us put them in the right place, we still have to remember to renew our certificates every now and then. If we don’t then, oh well. We’re back to square one because having expired certificate is as good as having no certificate at all when it comes to browsers screaming at us.

I was playing around with Zabbix again not too long ago and tried to find my way of monitoring the expiry date of certificates at random webpages and alerting me whenever a certificate’s about to expire. I’m pretty sure there are probably more well-known and best-practice-following ways, however, I thought my solution is doing it’s job so why not use it to learn something new?

Step 1. Create a script doing the lookup

Zabbix allows us to do something called “External Checks”. External checks are nothing else than script-based checks we can invoke to do things we might not be able to do with Zabbix’s built-in functionalities. External Checks will refer to scripts kept in /usr/lib/zabbix/externalscripts directory. To make sure Zabbix knows what directory to use, head to /etc/zabbix/zabbix_server.conf:

sudo vi /etc/zabbix/zabbix_server.conf

and make sure following line is present:

### Option: ExternalScripts
#       Full path to location of external scripts.
#       Default depends on compilation options.
#       To see the default path run command "zabbix_server --help".
#
# Mandatory: no
# Default:
# ExternalScripts=${datadir}/zabbix/externalscripts

ExternalScripts=/usr/lib/zabbix/externalscripts

Save the file and head to /usr/lib/zabbix/externalscripts directory and create a new file called . Give it executable flag:

cd /usr/lib/zabbix/externalscripts
touch certcheck.sh
chmod +x certcheck.sh

Open the certcheck.sh file with vi/vim/emacs/nano/ed/magnetic needle and paste following content:

#!/bin/bash
cert_date=$(curl -v --head https://$1 2>&1 | grep 'Server certificate' -A4 | grep 'expire date' | awk '{print $5" "$4" "$7}')
date --date="$cert_date" +"%Y%m%d"

Now test if the script works:

# We run the script and specify www.bbc.co.uk as the parameter
./certcheck.sh www.bbc.co.uk
# We should get following output (this will obviously change in future since BBC will renew their certificate :)):
20190718

Step 2. Use the script for an External Check in Zabbix

In the template of your choice create a new item:

Change “tecden.co.uk” to your own URL. As you can see I’ve set the Update Interval to 24h. It’s because we obviously don’t expect the SSL certificate to expire out of sudden and we don’t want to be spammed with emails/text messages every time a check is made and trigger fires off.

Step 3. Configure the trigger

Trigger will be used to alert us that our certificate is about to expire. In the same template you created the Item, create a new Trigger with expression listed below:

{Web Servers:certcheck.sh["tecden.co.uk"].date()}+7 >= {Web Servers:certcheck.sh["tecden.co.uk"].last()}

Press Update and that’s it! You will be alerted 7 days prior to certificate expiry. If you want to give yourself a bit more time to react, change “7” in expression above to a number of days left for the certificate to expire required for the alarm to go off.

Hope this helps someone 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Navigation