Hello, i started to use this Template today, i installed it and configure into my zabbix agent2 5.4.8, into the Macros´s Host, i configure {$CERT.EXPIRY.WARN} = 3, {$CERT.WEBSITE.HOSTNAME} = my zabbix server hostname tha has a wildcard (*.mydomain.com), and {$CERT.WEBSITE.IP} = my zabbix server ip, but i´m getting a problem on this host, Cert: SSL certificate is invalid, what could be?? Thanks.
-
-
If a insert into the Macros, <myzabbix.mydomain.com.br> i got this error when i tried to execute the Item: Website certificate by Zabbix agent 2: Cert: Get web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CE RT.WEBSITE.IP}]
and when i tried to change the Marcrons only for mydomain.com.br without the <> i got this error:12/02/2021 04:56:58 PM failed to verify certificate: x509: certificate is valid for *.mydomain.com.br, mydomain.com.br, not <mydomain.com.br>
i really didn´t undestand what information that i have to put there.12/02/2021 04:57:41 PM failed to verify certificate: x509: certificate signed by unknown authority
If i run the command on my Zabbix Server "zabbix_get -s 127.0.0.1 -k web.certificate.get[zabbix.mydomain.com.br,443,IPFROMMYZABBIX]" i got the result prompted ok.
ThanksComment
-
hmm, i got the problem fixed, i put another domain that we have that use the same SSL, and now works, if i tried to use the sabe url from zabbix server i got problem.Comment
-
Hello,
I would like to use this for monitoring of SSL certificates which are issued by our local CA. However I am getting following results:
Cert: Validation result = invalid
Cert: Last validation status = failed to verify certificate: x509: certificate signed by unknown authority
and as a result following problem is triggered:
Cert: SSL certificate is invalid
Where should I put my local CA certificates so I will get valid result?
ThanksComment
-
install root ca cert on monitored server and restart agent.
Wrote instruction in Russian https://www.k7d.ru/it/zabbix-monitor...rvera-agentom/Comment
-
Hello Everyone,
I've just started to use this template and it works, but it doesn't fit my needs.
What I need to achive is to have SSL validation monitoring for many websites. It should be configured on one Zabbix Agent, so from one Zabbix Host there will be many SSL checks.
Problem which I encountered is that template allows to monitor only one DNS hostname.
My idea is to copy template, adjust it for each website and import template to Zabbix but I don't think it is a optimal solution
I went through all previous posts on this case and I saw that some people have also this problem.
Do you know if there is any additionall option to achive this or I need to clone template?
I will be thankfull for any sugestions.Comment
-
You might want to look at this script: https://github.com/kulpin74/zabbix-ssl
All domains are entered into a json file so in zabbix there is only one host.Comment
-
Looking at the template Website certificate by Zabbix agent 2 I am wondering why I have to input the website name twice. Once as the name of the host when creating and once more as the string for the macro {$CERT.WEBSITE.HOSTNAME}.
Wouldn't it be possible to reuse the string for the host name?Comment
-
New error:
zabbix_get -s 127.0.0.1 -k web.certificate.get[google.com]
ZBX_NOTSUPPORTED: Cannot fetch data: dial tcp 142.250.184.78:443: i/o timeout.
Firewall rules are opened traffic passing OK
any ideas?
**Resolved**Last edited by [email protected]; 20-01-2022, 22:04.Comment
-
Hello;
If the Agent2 has been running on Microsoft 2016 Server / IIS 10, please check the BINDING parameter of which ""Require Server Name Indication" BOX.
Uncheck this box next to this setting.
I have done it, ZBX_NOTSUPPORTED: message has disappeared.
Test it on the Windows Server by the command of zabbix_agent2 -t web.certificate.get[<website_DNS_name>], it should give the certtificate info
Also run the commnad at the Zabbix Server of which zabbix_get -s <ip address of the agent2> -k web.certificate.get[<domain name>], also this should give the certifcate info.
But at my side, still the item of "web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CE RT.WEBSITE.IP}]" gives the "Cannot fetch data: dial tcp <ip address of agent2>:443: i/o timeout.
-
-
OK, so I'm not the only one confused as to how to monitor multiple sites/virtual hosts with a single agent. If I want to check the certs of google.com and aws.com then I'd need 2 VM's each running an agent just to check an external site? Or I'd need to manually re-create all of the items and triggers for each site I need to check, which really invalidates the use of templates.Comment
-
Hi there,
I've Zabbix 6.0 server (migrated from 5.4) and downloaded the latest certificate template from the GIT to start checking my web apps certificates.
Problem is : I get the following error when I configure the template on my host :
I've correctly added the correct FQDN in host's MACROS, which is also the same name in Cert subject and Alternative name but still get the "invalid" tag :
The CA is my internal one (Microsoft Active Directory based) and this particular host is a Linux host running NGINX, but I got a bunch of them and this one is kind of my pilot.
Doesn't seems to be a problem on Windows hosts.
Any clue where I should start to look at ? Thanks in advance.Last edited by EHRETic; 25-02-2022, 18:02.Comment
-
Edit from my previous port : I had to add my CA certificate in the trusted anchors of every host.
If somebody can add the fact that certificate CA has to be trusted in the documentation, that would be perfect!
Last edited by EHRETic; 28-02-2022, 15:12.Comment
-
Hi there!
Got an issue retriving cert values... from my zabbix server
Give meCode:zabbix_get -s xxx.yyy.zzz.uuu -k web.certificate.get[[B]myserver-agent.mydomain.org[/B]] --tls-connect psk --tls-psk-identity "PSK ID" --tls-psk-file psk
If I putCode:ZBX_NOTSUPPORTED: Cannot fetch data: dial tcp xxx.yyy.zzz.uuu:443: connect: connection refused.
i get data but, of course, certificate is invalid because cert not belong to localhost...Code:zabbix_get -s xxx.yyy.zzz.uuu -k web.certificate.get[[B]localhost[/B]] --tls-connect psk --tls-psk-identity "PSK ID" --tls-psk-file psk
Port 443 is open (website is online)Comment
-
Dear Forum members,
We started using the Website certificate by Zabbix agent 2 template this week, which is working fine overall!
But for one of our customers, which is using a self-signed SSL certificate we are getting the following error:
Now we have Googled for this particular issue and some people have provided a fix. Stackoverflow link. Stackoverflow link 2.Code:failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead
This issue would be fixed by adding the -addtext flag to your command when creating the certificate.
The problem is that our client is using this self-signed certificate in production and that we cannot replace the current certificate with a (fixed) new one.
Is there any way we can fix our monitoring without replacing the certificate? The self signed certificate has ~40-ish years left to expire.
Thank you in advance,
Kind regards,
MustafaComment
-
any possibiblity to use this template with active agent?
i changed item type to agent active, but on execute it say "Cannot send request: wrong item type."
this always works with other templates.Comment
Comment