we are all supposed to use the official thing right? it goes as such
from the zabbix server
apt install jq
zabbix_get -s ZABBIX-AGENT2 -k web.certificate.get[some.domain.tld] | jq
however it is awful to handle multiple ssl endpoints at once, and requires zabbix server v7.4 for that matter.
on the zabbix agent2
cd /etc/zabbix/
vi ssldomains
some.domain.tld
another.domain.tld
cd /etc/zabbix/
vi ssl.bash
#!/bin/bash
domains=`cat /etc/zabbix/ssldomains`
echo -n '{"data":['
for domain in $domains; do
# all records as one line to catch the trailing comma
echo -n "{\"{#SSLDOMAIN}\":\"$domain\"},"
done | sed 's/,$//'; unset domain
echo ']}'
chmod +x ssl.bash
cd /etc/zabbix/zabbix_agent2.d/plugins.d/
vi ssl.conf
UserParameter=ssl.discovery,/etc/zabbix/ssl.bash
import https://github.com/marcpope/zabbix-multisslperhost/blob/main/zbx_ssl_template.yaml
name: SSLCheckCustom template groups: templates/applications descr: https://github.com/marcpope/zabbix-multisslperhost
on the zabbix agent2
wget https://github.com/szazeski/checkssl/releases/download/v0.5.0/checkssl_0.5.0_$(uname -s)_$(uname -m).tar.gz \ -O checkssl.tar.gz tar -xf checkssl.tar.gz rm -f README.md LICENSE mv -i checkssl /usr/local/bin/ chmod +x /usr/local/bin/checkssl cd /etc/zabbix/ vi zabbix_agent2.conf AllowKey=system.run[*] cd /etc/zabbix/ vi wrapper-checkssl #!/bin/bash [[ -z $1 ]] && echo domain? && exit 1 /usr/local/bin/checkssl -days=5 -no-color $1 chmod +x wrapper-checkssl cd /etc/zabbix/zabbix_agent2.d/plugins.d/ vi ssl2.conf UserParameter=ssl2.discovery,/etc/zabbix/ssl.bash
note we’re pointing to the same domain listing script as above
template
name checkssl
groups templates/applications
descr https://www.checkssl.org/
discovery rules
name checkssl discovery
key ssl2.discovery
interval 10m
period 30d
item prototypes
name checkssl item proto
key system.run[/etc/zabbix/wrapper-checkssl {#SSLDOMAIN}]
type text
interval 1m
period 90d
trigger prototypes
name checkssl trigger proto
expression find(/checkssl/system.run[/etc/zabbix/wrapper-checkssl {#SSLDOMAIN}],,"regexp","PASS")=0
https://support.zabbix.com/browse/ZBX-22090 ==> import msg no worries
https://www.zabbix.com/integrations/ssl
https://www.zabbix.com/documentation/current/en/manual/guides/monitor_certificate
https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2
https://blog.zabbix.com/handy-tips-9-native-ssl-tls-certificate-monitoring/17463/
https://www.zabbix.com/documentation/current/en/manual/config/items/userparameters
https://github.com/marcpope/zabbix-multisslperhost ==> used above as for #1 - works but only checks expiration
https://github.com/a-schild/zabbix-ssl ==> outdated and briefly tested (template doesnt seem to work)
https://github.com/Cybertinus/zabbix-ssl-check
https://gist.github.com/Abdukosim/3329745108a9a571ff64fc76ba75257b ==> only expiration time
https://www.zabbix.com/documentation/current/en/manual/config/items/userparameters
https://www.zabbix.com/documentation/current/en/manual/config/items/restrict_checks
https://sbcode.net/zabbix/system-run/