Ad Widget

**nuri** · 13-04-2022, 15:26

Dear Forum members,

If you will receive below message after you have initiated a test within the Zabbix Host's WEB.GET(cert) item and
by "zabbix_agent2 -t web.certificate.get[<website_DNS_name>]" command executed at the web server
and also "zabbix_get -s <web server ip address> -k web.certificate.get[<website_DNS_name>]"

"ZBX_NOTSUPPORTED: Cannot fetch data: dial tcp <IP ADDRESS>:443: i/o timeout." ,

please at first hand, check your firewall rules for the web server if the web server is behind the public IP NAT'ed by a local IP.

If your web server is NAT'ted, you have to create a "U-TURN NAT" policy for the web server if your web server is behind the PALO ALTO firewall,
or you have to create a "NAT TURN - HAIR PINNING" policy for the web server if your web server is behind the FORTIGATE firewall.

After you will enable the those above policies, if the other configs have been well set, you will see the SSL certificate data has been fetched successfully.

Hope, this will help.

Kind Regards,
Nuri.

**DUGi** · 28-04-2022, 16:08

Hello,

is there a possibility to add to a template new calculate item - "remaining days to expire" and create graph from it ?
I tried to create item which will calculate it but I'm doing something wrong.

Formulas which I tried:
(last(cert.not_after) - now()) / 86400
(last(/Website certificate by Zabbix agent 2/cert.not_after)- now()) / 86400
last(cert.not_after)
last("cert.not_after")

I'm not able to use item with key cert.not_after in formula at all.
can someone more experiend help ?

thanks
I'm using Zabbix 6/.0.3

**DUGi** · 28-04-2022, 17:21

I foud correct syntax: floor((last(//cert.not_after) - now()) / 86400)

**LordGraves** · 23-05-2022, 18:27

I have the cert monitoring working. I configured the inherited and template macros page and specified a FQDN and ip address of a local host. Everything works. However, when I add this template to another host and configure the macro, I see that its still pointing to the first fqdn and IP. If I change it to the current host, then it changes it everywhere.

I need to be able to monitor the cert of each host and I am not sure how to do that. Havent found any documentation on it at all.

Right now, I am trying to manually create each macro list on 3 different hosts as a test case. Waiting to see if the data comes up or not. There seem to be only 4 macros associated with the function.

So far, im seeing no data using the manually created macros

**ltep** · 24-11-2022, 16:32

I'm using this template to monitor TLS/SSL certificates by Zabbix agent 2. I was able to setup hosts with the template linked and successfully read the certificate data in the latest data for the host.
The hosts are all using the same wildcard certificate we use for internal webapplications.

One of the hosts is showing "failed to verify certificate: x509: certificate signed by unknown authority" for item "Last check result message" while it's using the same valid wildcard certificate used by the other hosts showing "valid". The command "zabbix_get -s 127.0.0.1 -k web.certificate.get[url website] is showing the same error "failed to verify certificate: x509: certificate signed by unknown authority"

Any advice please why it is showing this error message?

**ltep** · 27-12-2022, 17:04

Hi Jens,
I understand your answer. But shouldn't it be trusted by default as it is a public wildcard ssl cert?

**Markku** · 01-01-2023, 22:25

ltep Are you sure the servers are identically configured to provide also the intermediate CA certificate? If the intermediate CA certificate is not offered by the server, the certificate chain is incomplete and the client might not be able to check the trust chain. Note that when testing with common browsers they don't necessarily complain about that because they may cache the intermediate CA certificate if they have seen it earlier elsewhere.

(Intermediate CA = the CA that actually signed the server certificate, as usually the root CAs sign intermediate CA certificates only, for security reasons. The publicly trusted root CA certificates are included in the systems, while the intermediate CA certificates are bundled with the server certificates.)

From memory, you can check the certificates with openssl s_client -connect command. You can also use tests like https://www.ssllabs.com/ssltest/ if your servers are public.

Markku

**arshadd** · 06-01-2023, 10:00

I want to use the MSSQL by ODBC template on some servers, the issue I have is one server that I want to use it on has 5 instances installed, is it possible to monitor more than one instance with the server or would I have to create copies of the template so I have one per instance?

**Satrier** · 30-03-2023, 14:40

Please tell me, if I have a lot of domain names on the server, I want to discover them and add them to one host in Zabbix, how can I do this?
There is a possibility?

**fveegaert** · 25-04-2023, 16:36

Hello,
If you want to monitor multiple certificates from the same host you can use discovery based on a json to create multiple certificates entry.
I made one template for my company, here is the description:

Code:

This template use zabbix-agent2 web.certificate.get item. It include two methods to discover the certificates informations. You can disable the one you're not using. Methods are:

- With a macro that include the certificates informations

You need to set a user macro {$CERT_SUPERVISION} containing all informations in JSON format:

{"data":[
{
"{#CERTDESC}":"www.zabbix.com",
"{#CERTIP}":"104.26.7.148",
"{#CERTPORT}":"443",
"{#CERTSNI}":"www.zabbix.com"
},{
"{#CERTDESC}":domain.tld",
"{#CERTIP}":"127.0.0.1",
"{#CERTPORT}":"443",
"{#CERTSNI}":"domain.tld"}
]}

Macro is limited to 2048 characters.

- With a file that include the certificates informations. Be carefull, the JSON is not the same.

You need to create a JSON file containing all informations:

{"data":[
{
"{#CERTDESC2}":"www.zabbix.com",
"{#CERTIP2}":"104.26.7.148",
"{#CERTPORT2}":"443",
"{#CERTSNI2}":"www.zabbix.com"
},{
"{#CERTDESC2}":domain.tld",
"{#CERTIP2}":"127.0.0.1",
"{#CERTPORT2}":"443",
"{#CERTSNI2}":"domain.tld"}
]}

Then set the macro {$CERT_SUPERVISION_FILE} containing the path to this file.

Template -> Web certificate check by agent2.zip

**jerometeano** · 05-05-2023, 10:51

Hi, Im trying to import the template for this in zabbix version 6.2. Im getting the error, Invalid tag "/zabbix_export/version": unsupported version number. Im importing this template from zabbix repo, template_app_certificate_agent2.yaml. Need assistance on how to configure this. Thank you.

**fveegaert** · 05-05-2023, 18:25

Originally posted by jerometeano

Hi, Im trying to import the template for this in zabbix version 6.2. Im getting the error, Invalid tag "/zabbix_export/version": unsupported version number. Im importing this template from zabbix repo, template_app_certificate_agent2.yaml. Need assistance on how to configure this. Thank you.

You need to swich the repo branch to 6.0 https://github.com/zabbix/zabbix/tre...ificate_agent2

**pbpm** · 09-05-2023, 16:22

Originally posted by ltep

Hi Jens,
I understand your answer. But shouldn't it be trusted by default as it is a public wildcard ssl cert?

[email protected] commented
14-12-2022, 16:41
You need to add the CA public key to your system.
In linux you put the certificate under /etc/pki/ca-trust/source/anchors and then run update-ca-trust followed by a reboot.

Many thank to Jens

since to make zabbix-agent2 work as expected, beside copying certificate files and running update-ca-trust, it was needed only restart of the agent!!

What I don't know if this utility, update-ca-trust, is a standard tool or rather a RHEL's one (Ubuntu seems to have update-ca-certificates).

Pietro

**jerometeano** · 11-05-2023, 03:47

Hi,

Does anyone have a solution for monitoring multiple certificate in a single host? Thank you.

**fveegaert** · 13-05-2023, 22:21

Originally posted by jerometeano

Hi,

Does anyone have a solution for monitoring multiple certificate in a single host? Thank you.

I answered to your question above with a template i made

Ad Widget

Discussion thread for official Zabbix Template TLS/SSL certificates monitoring

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment