Ever wanted to get alerts about SSL expiration’s? Zabbix is a perfect platform for monitoring and alerting. This guide will show how to monitor SSL expirations through Zabbix using a PHP script.
- First we need to pick a server that will actually be doing the SSL checks and feeding this into zabbix, this can be the zabbix server its self as long as you are monitoring the zbbix server as usual with the zabbix agent.
-
On the server you have picked, create /etc/zabbix/zabbix_agentd.d/userparameter_ssl_monitoring.conf, add the following content:
UserParameter=trader418.ssl.script.exp[*],/usr/bin/php /opt/zabbix/zabbix.ssl.php $1
-
Next create the following file: /opt/zabbix/zabbix.ssl.php, and add the following content:
(This is a really simple script and can be imrpoved, it is more a proof of concept)
#!/usr/bin/php <?PHP if($argv[1] == "" || !isset($argv[1])) { exit("no arg"); } $contextCreate = stream_context_create(array("ssl" => array("capture_peer_cert" => true))); $res = stream_socket_client("ssl://".$argv[1].":443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $contextCreate); $context = stream_context_get_params($res); $certInfo = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"]); $exp = $certInfo['validTo_time_t']; $now = time(); $diff = $exp - $now; print_r(number_format((float)$diff/86400, 2, '.', '')); -
Next, head to your Zabbix installation and for the host you have installed the script on, create an item/key for each website you would like to monitor the SSL on with the following information:
Name -> Anything you like
Type -> Zabbix agent
Key -> trader418.ssl.script.exp[yourdomain.co.uk]
Type of information -> Numeric (float)
Units -> Days
Update interval -> 12h (Can be as often as you like but for data like this, data is not required to be pulled often)
After this is setup, you should be able to view the data. It should look similar to this:
Once setup, you can then add alerts/triggers to the value. E.G. a trigger for less than 5 days that triggers an email warning.
