where is the correct location and which settings needs to be set so that this template makes use of the CA certificate of my own CA?

I am using the official containers zabbix/zabbix-server-mysql and zabbix/zabbix-proxy.

Ireceives an error:
Cannot evaluate function last(/server.name.com/cert.sha1_fingerprint,#2): not enough data

I use wildcard cert, signed by external ssl provider

i have this error, because i have this below error:
failed to verify certificate: x509: certificate signed by unknown authority​
which CA i need to install, when i use external wildcard cert?

btw: in the browser, my server/site is signed (green bar)

Hello, i have deployed certificate monitoring few days ago, all hosts work well, except one, which is reporting "failed to verify certificate: x509: certificate signed by unknown authority".
This is really weird, since i monitor other host signed by the same authority, without any issue. Only difference i found, is that this host has two "subject alternative name".
I wonder if that could be the issue.


Cert: Valid from: 2023-05-12 23:57:24​
Cert: Expires on: 2023-08-10 23:57:23
​Cert: Issuer: CN=R3,O=Let's Encrypt,C=US
Cert: Subject: CN=host.example.com​​
Cert: Subject alternative name: ["host2.example.com","host.example.com"]
​Cert: Last validation status: failed to verify certificate: x509: certificate signed by unknown authority
​Cert: Validation result: invalid

Has anyone come up with a way to do this? It would be nice to not have to visit every single host to specifically re-add the host and IP for the template-specific macros when there are existing native macros that already contain this information that we should be able to map to the template macros. Just make the value of {$CERT.WEBSITE.IP} map to {HOST.IP} it's good to go.

OK dumb question, where does the ssl_check.json file with the host/port definitions go?

Hello,

I've added the template, and I've tried both approaches.

I created the /etc/zabbix/certinfo.json with the json matching the second format for a couple of servers and set the {$CERT_SUPERVISION_FILE} macro to that location. Nothing.
I then took that same json content, changed the keys to the match the first format (no 2 in the key names) and set that json as the value for the {$CERT_SUPERVISION} macro. This is working. However, it's alerting to all hosts defined in the json for each host that the template is applied to.

Something I'm missing?

Edit: I've defined 2 hosts with expired certs in the macro json, and that is applied at the template level, not the host level. Both hosts now show up with 2 in the problem count, and clicking there shows the host in question with 2 problems, expired certs for the clicked host AND for the other host.
I also added the template to a known good host, and THAT host also shows up with 2 problems, which are the 2 hosts that actually do have expired certs.

I'm going to try defining the json at the host level rather than be inherited and see if that makes it behave properly.

Hello,
Did you create the certinfo.json on the host that has the template ?
You have to add the macro on the host that has the template.

Yes it's on the server that the hosts are reporting to.

Just to be sure.
This Template and the json (file or macro) has to be on 1 host, can be the zabbix server or any other host. Then this host will contact the IP/PORT you have setup in the json and get the certificate informations corresponding to the {#CERTSNI}.
You have to be sure that the host who has the template can contact the IP/PORTS you have setup.

The {$CERT_SUPERVISION_FILE} is defined in the template on the zabbix server, and the file it references is also on the zabbix server. There's no issue reaching the host/port, as this works correctly when the macro contains the json rather than the reference to the file.

In any case, I've gotten it working with the json in the macro and defining the macro per host rather than at inherited level. Thanks.

Does anyone have this working in a dockerized stack with an internal CA authority?

All of our internal certs return this `failed to verify certificate: x509: certificate signed by unknown authority` which is of course because the container doesn't have the root/intermediate certs attached. Without forking my own version of the repo and building a new Dockerfile, is there a way to get additional root CAs added into the container level so this alert doesn't fire?

Hello,
is it be possible to monitor SSL certificates for number of websites hosted on different VMs by using only zabbix agent hosted on zabbix server itself ?

Yes. You aren't installing agents for every certificate monitor.

I haven't confirm this to work yet but here are some things I ran across and tried to implement:

• SSLCALocation: https://www.zabbix.com/documentation...#sslcalocation
• My zabbix server container has the zabbix_server.conf in '/etc/zabbix/zabbix_server.conf'
• In that conf: SSLCALocation=/var/lib/zabbix/ssl/ssl_ca/
• This conf must be part of the docker image so I overlayed a volume via docker-config.yaml:

• On the host I have directory/file structure under 'zbx_env':

In fact it hasn't cleared the previous errors but seems like the right path overall. Hopefully, someone can confirm this approach.