[ZABBIX] SSL expiration monitoring with PHP+Zabbix

Ever wanted to get alerts about SSL expiration’s? Zabbix is a perfect platform for monitoring and alerting. This guide will show how to monitor SSL expirations through Zabbix using a PHP script.

  • First we need to pick a server that will actually be doing the SSL checks and feeding this into zabbix, this can be the zabbix server its self as long as you are monitoring the zbbix server as usual with the zabbix agent.
  • On the server you have picked, create /etc/zabbix/zabbix_agentd.d/userparameter_ssl_monitoring.conf, add the following content:
    UserParameter=trader418.ssl.script.exp[*],/usr/bin/php /opt/zabbix/zabbix.ssl.php $1
  • Next create the following file: /opt/zabbix/zabbix.ssl.php, and add the following content:

    (This is a really simple script and can be imrpoved, it is more a proof of concept)

    if($argv[1] == "" || !isset($argv[1])) {
        exit("no arg");
    $contextCreate = stream_context_create(array("ssl" => array("capture_peer_cert" => true)));
    $res = stream_socket_client("ssl://".$argv[1].":443", $errno, $errstr, 30, STREAM_CLIENT_CONNECT, $contextCreate);
    $context = stream_context_get_params($res);
    $certInfo = openssl_x509_parse($context["options"]["ssl"]["peer_certificate"]);
    $exp = $certInfo['validTo_time_t'];
    $now = time();
    $diff = $exp - $now;
    print_r(number_format((float)$diff/86400, 2, '.', ''));
  • Next, head to your Zabbix installation and for the host you have installed the script on, create an item/key for each website you would like to monitor the SSL on with the following information:

    Name -> Anything you like
    Type -> Zabbix agent
    Key -> trader418.ssl.script.exp[yourdomain.co.uk]
    Type of information -> Numeric (float)
    Units -> Days
    Update interval -> 12h (Can be as often as you like but for data like this, data is not required to be pulled often)

Once setup, you can then add alerts/triggers to the value. E.G. a trigger for less than 5 days that triggers an email warning.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *