1. Zabbix Agent Openssl
  2. Zabbix Open Source
  3. Zabbix Https
  4. Zabbix Apache Vs Nginx
Zabbix

To monitor SSL certificates expiry dates with Zabbix, there’s quite a few things you need to do. I’ve tried to make a comprehensive guide about it so you can make the thing yourself and learn how external scripts work. In the end, I’ve attached a Zabbix template for you that can easily be imported into Zabbix. This guide is for Zabbix 2.4, and the template will not work as is on older versions due to changes made on how triggers work. Hopefully you will be able to figure things out with the help of this post so if need be, it can be done on an older version as well.

Then you need to import the froggsslcheck.xml template configuration file in the zabbix web interface in Template tab using the import button Host configuration the template use 5 macros. Put the /etc/zabbix/zabbixagentd.d/ssl-sites.conf in the config directory of your client agent (The server where your sites reside) Put the /etc/zabbix/sslsites.json in the config directory of your client agent (The server where your sites reside) and modify the list of sites which should be checked. I then go into the Zabbix Server User interface and configure the PSK encryption options for the host. I select the 'Connections to host' = PSK 'Connections from host' = PSK 'PSK Identity' = what ever you used in the Zabbix agent config 'PSK' = the long hex string generated from the OpenSSL command above. I can then visit my new Zabbix Server on Centos7 with SSL and a domain name at. Follow the commands layed out for you on the Certbot website. Eg, choose Nginx on Centos/RHEL7. After the setup, you may need to manually set the location of the certificate and private key in the zabbix.conf file.

First off, we need to make a script that will query for the SSL certificate, parse it and then return a value for Zabbix to store.

The External Script

Lines 2-5:
Define values for our variables. We define the server to query as SERVER and assign the first input to it. For TIMESTAMP we store the current date so we can log things.
Lines 6-11:
If we have a second user passed variable (the port), store it but otherwise assume default HTTPS port of 443.
Line 12:
This is a little bit more complex. First off we query for the SSL certificate using openssl and pass the output to /dev/null as we don’t want to store it or print out the result. Instead we pipe the result back to openssl to extract the dates from this certificate. As the second openssl command returns two dates (notBefore and notAfter), and we are only interested in the expiry date we use grep to get the line that contains ‘notAfter. The last piped command select everything that’s after the “=” sign, to give us only the date in question. *phew* quite a mouthful wasn’t it? You can copy and paste the command piece by piece to see what the different outputs look like.
Line 13-14:
This calculates how many days there are between the certificates notAfter time and today. %s returns a value that corresponds to the total amount of seconds since epoch (seconds since 1970-01-01 00:00:00 UTC).
Lines 15-20:
We check if the returned value is negative, as the certificate might have already expired! Zabbix can’t handle negative values, and I wasn’t too worried about how long ago the certificate expired as long as we know it has or will expire. If it’s above zero, convert the seconds to days.
Line: 22:
Write the output to a log file, to keep track of what certificates have been checked. This can be commented out if found unnecessary.
line 23:
Return the value, either 0 (which means the query either failed for the certificate has already expired) or the amount of days left until the certificate expires.

You need to save the script as a .sh file, and make it executable with chmod u+x (at minimum). In addition, if the script file only has executable permissions for the user, then it needs to be owned by the user that Zabbix server is run with, which is by default zabbix. In the example below, i have changed the ownership of the script file to user:zabbix, group:zabbix with chown zabbix:zabbix ssl_check.sh. And I’ve give both the group, and the user read, write and execute permissions to the file. Other users have no permissions to the file.

Zabbix Server configuration

If you haven’t used external scripts before on your Zabbix Server, then you need to make changes to your Zabbix Server configuration file. This can be found by default in /etc/zabbix/zabbix_server.conf (CentOS) and in this file, you need to locate the following line(s):

I’ve changed ExternalScripts to /etc/zabbix/externalscripts (which i created) in the same folder as where the Zabbix server and Zabbix agent configuration files reside. Once you’ve changed this, Zabbix server needs to be restarted.

The Template

To make things easy, I created a template which can be applied on any host within Zabbix. This cuts down the amount of setting up required and can easily be applied to any webhost that’s being monitored by zabbix. Go to Configuration, Templates and press “Create Template“. I named mine “Template SSL Check“.

Zabbix Agent Openssl

To make things easy to use, create two macros:

Select Items, and press “Create Item

Zabbix

Give it a name, set the type to “External Check” which tells Zabbix to look in the External Scripts folder we defined earlier. The key must contain the name of the script file, in this case ssl_check.sh and the variables we want to pass to it being the host and port.

Zabbix Open Source

The type of information should be “Numeric” and data type as “Decimal”. Update interval of 86400 seconds is enough, which equals to once a day. Store the value “As is” and show value “As is”. Lastly define a new application, as there isn’t one in this new template. I’ve named the new application as “Certificate Check“.

Setup

Hit save and now we have a new Item in this template that interacts with our ssl_check.sh script. At this point, you could try things out to see if any values are returned from the script. But without triggers, no alerts would be passed to you which is the ultimate goal.

The Triggers

Last thing to do is to create the triggers, which is pretty straight forward as we only have one item. You can either use the expression builder to create the trigger or write it yourself. Here’s one example of the triggers that can be created:


You can change the days as you please, to make the alerts fit your need. In previous versions of Zabbix, at least in 2.0 it used to “&” sign instead of “and” to combine two trigger expressions together. Other than that, the trigger should work on the latest versions of Zabbix. You can download the trigger template below and import it to Zabbix version 2.4.

Compile zabbix agent with openssl with static libraries
compile_zabbix_agent_openssl_static.sh
Zabbix Openssl

Zabbix Https

PCRE_VERSION=8.44
ZABBIX_VERSION=4.4.7
OPENSSL_VERSION=1.1.1g
### gcc ###
test!`which gcc`&&test`which apt-get`&& apt-get install g++
test!`which gcc`&&test`which yum`&& yum install g++
### PCRE ###
cd /usr/local/src
wget https://ftp.pcre.org/pub/pcre/pcre-$PCRE_VERSION.zip
unzip pcre-$PCRE_VERSION.zip
cd pcre-$PCRE_VERSION
time ./configure
time make
time make install
ldconfig
### OpenSSL ###
# https://unix.stackexchange.com/questions/293311/install-openssl-from-source
cd /usr/local/src
wget https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz
tar -xzvf openssl-$OPENSSL_VERSION.tar.gz
cd openssl-$OPENSSL_VERSION
time ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
time make
time make install
### ZABBIX ####
cd /usr/local/src
wget --no-check-certificate https://fossies.org/linux/misc/zabbix-$ZABBIX_VERSION.tar.gz
tar -xzvf zabbix-$ZABBIX_VERSION.tar.gz
cd zabbix-$ZABBIX_VERSION
addgroup --system --quiet zabbix
adduser --quiet --system --disabled-login --ingroup zabbix --home /var/lib/zabbix --no-create-home zabbix
# compile first without static linking as per: https://www.zabbix.com/forum/zabbix-troubleshooting-and-problems/46215-zabbix-3-0-3-with-tls-support-centos-5-x?p=277199#post277199
time ./configure --enable-agent --with-openssl=/usr/local/openssl
# backup
cp Makefile Makefile.orig
sed -r 's/(^CFLAGS.*)/1 -I/usr/local/openssl/include/' -i Makefile
sed -r 's/(^LDFLAGS.*)/1 -L/usr/local/openssl/lib -static/' -i Makefile
sed -r 's/(^LIBS.*)/1 -lssl -lcrypto/' -i Makefile
# static linking removes runtime dependencies
time ./configure --enable-agent --enable-static --with-openssl=/usr/local/openssl
time make
ZABBIX_BIN_DIR=zabbix-$ZABBIX_VERSION-`uname -s`_`uname -m`
mkdir $ZABBIX_BIN_DIR
cp -t $ZABBIX_BIN_DIR src/zabbix_agent/zabbix_agentd src/zabbix_sender/zabbix_sender src/zabbix_get/zabbix_get
tar -czvf ${ZABBIX_BIN_DIR}.tar.gz $ZABBIX_BIN_DIR
cp ${ZABBIX_BIN_DIR}.tar.gz /tmp/
echo'Compiled zabbix agent binaries at: /tmp/${ZABBIX_BIN_DIR}.tar.gz'

Zabbix Apache Vs Nginx

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment