SSL

Transport Layer Security, the successor of the now-deprecated Secure Sockets Layer, is a cryptographic protocol designed to provide communications security over a computer network.

Available solutions




This template is for Zabbix version: 7.4

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.4

Website certificate by Zabbix agent 2

Overview

This template is for monitoring a TLS/SSL certificate of a website via Zabbix agent 2, and it works without any external scripts. Zabbix agent 2 requests the certificate via the web.certificate.get key through the WebCertificate plugin and returns a JSON with certificate attributes.

Requirements

Zabbix version: 7.4 and higher.

Tested versions

This template has been tested on:

  • Website TLS/SSL certificate

Configuration

Zabbix should be configured according to the instructions in the Templates out of the box section.

Setup

1. Set up and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host with a Zabbix agent interface.

4. Link the template to the host.

5. Customize the values of the macros {$CERT.WEBSITE.HOSTNAME}, {$CERT.WEBSITE.IP}, and {$CERT.WEBSITE.PORT}. {$CERT.WEBSITE.HOSTNAME} is a required parameter in the Zabbix agent 2 web.certificate.get key, so it must have at least one value set. Other macros may be set as needed (details below). Note that multiple values can be specified, separated by commas. The corresponding values in other macros are processed in the order they are listed (see the table below for examples):

Macro Value
{$CERT.WEBSITE.HOSTNAME} hostname_01,hostname_02,hostname_03
{$CERT.WEBSITE.PORT} port_01,,port_03
{$CERT.WEBSITE.IP} ,ip_02

As shown in the example above, the following websites will be discovered:

  • Website with the host name hostname_01 - the host name itself will be used for connection (because the address is set to an empty string); the port is port_01.
  • Website with the host name hostname_02 - will also be used for SNI verification; the address ip_02 will be used for connection, and the port will default to 443 (because it is set to an empty string).
  • Website the with host name hostname_03 - the host name itself will be used for connection (because the address is not set and treated as an empty string); the port is port_03.

For additional details, please refer to official documentation about the Zabbix agent 2 web.certificate.get key: https://www.zabbix.com/documentation/7.4/manual/config/items/itemtypes/zabbix_agent/zabbix_agent2#web.certificate.get

Macros used

Name Description Default
{$CERT.EXPIRY.WARN}

Number of days until the certificate expires.

7
{$CERT.WEBSITE.HOSTNAME}

The website's DNS name used for the connection.

<Enter DNS name>
{$CERT.WEBSITE.PORT}

The TLS/SSL port number of the website.

443
{$CERT.WEBSITE.IP}

The website's IP address used for the connection.

{$CERT.PARAMS.CHECK}

The type of verification of input parameters.

STRICT (default) - when an error occurs, the check stops.

Any other value - erroneous records are ignored.

STRICT

Items

Name Description Type Key and additional info
Get data

Parses the parameters from user macros and returns a JSON string used in LLD.

Script cert.get.data

Preprocessing

  • Discard unchanged with heartbeat: 1h

Triggers

Name Description Expression Severity Dependencies and additional info
Certificate: Error parse parameters

Some entries in the macro {$CERT.WEBSITE.HOSTNAME} are incorrect and ignored.

jsonpath(last(/Website certificate by Zabbix agent 2/cert.get.data),"$.error.code", 0) = 1 Warning Manual close: Yes
Certificate: Error parse parameters

Some entries in the macro {$CERT.WEBSITE.HOSTNAME} are incorrect.
Please edit the macros to avoid data loss.

jsonpath(last(/Website certificate by Zabbix agent 2/cert.get.data),"$.error.code", 0) = 2 High Manual close: Yes

LLD rule Website discovery

Name Description Type Key and additional info
Website discovery Dependent item cert.website.discovery

Preprocessing

  • JSON Path: $.data

Item prototypes for Website discovery

Name Description Type Key and additional info
[{#CERT.WEBSITE.ITEMNAME}]: Get

Returns a JSON with the attributes of a certificate of the requested site.

Zabbix agent web.certificate.get[{#CERT.WEBSITE.HOSTNAME},{#CERT.WEBSITE.PORT},{#CERT.WEBSITE.IP}]

Preprocessing

  • Discard unchanged with heartbeat: 6h

[{#CERT.WEBSITE.ITEMNAME}]: Validation result

The certificate validation result. Possible values: valid/invalid/valid-but-self-signed

Dependent item cert.validation[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.result.value

[{#CERT.WEBSITE.ITEMNAME}]: Last validation status

Message from the latest certificate check.

Dependent item cert.message[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.result.message

[{#CERT.WEBSITE.ITEMNAME}]: Version

The version of the encoded certificate.

Dependent item cert.version[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.version

[{#CERT.WEBSITE.ITEMNAME}]: Serial number

The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.

Dependent item cert.serial_number[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.serial_number

[{#CERT.WEBSITE.ITEMNAME}]: Signature algorithm

The algorithm identifier for the algorithm used by the CA to sign the certificate.

Dependent item cert.signature_algorithm[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.signature_algorithm

[{#CERT.WEBSITE.ITEMNAME}]: Issuer

The field identifies the entity that signed and issued the certificate.

Dependent item cert.issuer[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.issuer

[{#CERT.WEBSITE.ITEMNAME}]: Valid from

The date on which the certificate validity period begins.

Dependent item cert.not_before[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.not_before.timestamp

[{#CERT.WEBSITE.ITEMNAME}]: Expires on

The date on which the certificate validity period ends.

Dependent item cert.not_after[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.not_after.timestamp

[{#CERT.WEBSITE.ITEMNAME}]: Subject

The field identifies the entity associated with the public key stored in the subject public key field.

Dependent item cert.subject[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.subject

[{#CERT.WEBSITE.ITEMNAME}]: Subject alternative name

The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an e-mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).

Dependent item cert.alternative_names[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.alternative_names

[{#CERT.WEBSITE.ITEMNAME}]: Public key algorithm

The digital signature algorithm used to verify the signature of a certificate.

Dependent item cert.public_key_algorithm[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.x509.public_key_algorithm

[{#CERT.WEBSITE.ITEMNAME}]: Fingerprint

The certificate signature (SHA1 fingerprint or thumbprint) is the hash of the entire certificate in DER form.

Dependent item cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}]

Preprocessing

  • JSON Path: $.sha1_fingerprint

Trigger prototypes for Website discovery

Name Description Expression Severity Dependencies and additional info
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid

The SSL certificate has expired or it is issued for another domain.

find(/Website certificate by Zabbix agent 2/cert.validation[{#CERT.WEBSITE.ITEMNAME}],,"like","invalid")=1 High
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate expires soon

The SSL certificate should be updated or it will become untrusted.

(last(/Website certificate by Zabbix agent 2/cert.not_after[{#CERT.WEBSITE.ITEMNAME}]) - now()) / 86400 < {$CERT.EXPIRY.WARN} Warning Depends on:
  • Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid
Cert [{#CERT.WEBSITE.ITEMNAME}]: Fingerprint has changed

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually.
There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}]) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}],#2) Info Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

Articles and documentation

+ Propose new article

Vous n’avez pas trouvé ce que vous cherchiez ?