Zabbix Fun - Tracking SSL Certificate Expiration Times

One of the most important things that an IT pro has to do is make sure the SSL certs for his sites don't expire. It's one of those weird little things that seems to fall through the cracks way too often. Happily, Zabbix can help keep track of this and make sure we take care of it.

For the record, I heavily borrowed this idea from http://aperto.fr/cms/en/15-blog-en/15-ssl-certificate-expiration-monitoring-with-zabbix.html, keeping the vast majority of his technical operation, and primarily changed how Zabbix is executing the check.

Step 1 - the script:


[root@sfo-it-zabbix-prod-01 ~]# cat /etc/zabbix/scripts/ssl_check.sh 
#!/usr/bin/env bash
host=$1
port=443
end_date=`openssl s_client -host $host -port $port -showcerts /dev/null |
          sed -n '/BEGIN CERTIFICATE/,/END CERT/p' |
          openssl x509 -text 2>/dev/null |
          sed -n 's/ *Not After : *//p'`


if [ -n "$end_date" ]
then
    end_date_seconds=`date '+%s' --date "$end_date"`
    now_seconds=`date '+%s'`
    echo "($end_date_seconds-$now_seconds)/24/3600" | bc
fi


This script takes a hostname as input, and looks up the associated SSL certificate using openssl. Example usage is:



[root@sfo-it-zabbix-prod-01 ~]# /etc/zabbix/scripts/ssl_check.sh www.gmail.com
176


The SSL Certificate for www.gmail.com expires in 176 days.


Now we add this as a custom parameter to Zabbix.


Step 2 - adding to zabbix_agentd.conf


UserParameter=cert_check[*],/etc/zabbix/scripts/ssl_check.sh $1


More information about creating custom checks in Zabbix can be found at http://www.zabbix.com/documentation/1.8/manual/config/user_parameters

Step 3 - setting up the Zabbix GUI

Since this will only change once per day, we really only care about checking it once every 24 hours, or 86400 seconds.

So now we're collecting data.  If you look at the overview for the box your zabbix server (or wherever you wrote this script and applied the template to), you should see something similar to:

And that's cool. BUT, how do we get Zabbix to send us info if our certificates are getting close to expiring? The answer is TRIGGERS.

Information on Zabbix triggers is available at http://www.zabbix.com/documentation/1.8/manual/config/triggers. I created three alert levels. 

1. If the certificate is within 30 days of expiring, a standard level alert is sent out.

2. If the certificate is within 7 days of expiring, a high level alert is sent out.

3. If a certificate expires, a Disaster level alert is sent out.

And there you have it. Zabbix is now keeping an eye on our SSL Certificates, and will scream at us loudly to make sure we don't let it expire.