SSL

Transport Layer Security, the successor of the now-deprecated Secure Sockets Layer, is a cryptographic protocol designed to provide communications security over a computer network.

Available solutions




This template is for Zabbix version: 5.4
Also available for: 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.4

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.4 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

See Zabbix template operation for basic instructions.

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name Description Default
{$CERT.EXPIRY.WARN}

Number of days until the certificate expires.

7
{$CERT.WEBSITE.HOSTNAME}

The website DNS name for the connection.

<Put DNS name>
{$CERT.WEBSITE.IP}

The website IP address for the connection.

``
{$CERT.WEBSITE.PORT}

The TLS/SSL port number of the website.

443

Template links

There are no template links in this template.

Discovery rules

Items collected

Group Name Description Type Key and additional info
General Cert: Validation result

The certificate validation result. Possible values: valid/invalid/valid-but-self-signed

DEPENDENT cert.validation

Preprocessing:

- JSONPATH: $.result.value

General Cert: Last validation status

Last check result message.

DEPENDENT cert.message

Preprocessing:

- JSONPATH: $.result.message

General Cert: Version

The version of the encoded certificate.

DEPENDENT cert.version

Preprocessing:

- JSONPATH: $.x509.version

General Cert: Serial number

The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.

DEPENDENT cert.serial_number

Preprocessing:

- JSONPATH: $.x509.serial_number

General Cert: Signature algorithm

The algorithm identifier for the algorithm used by the CA to sign the certificate.

DEPENDENT cert.signature_algorithm

Preprocessing:

- JSONPATH: $.x509.signature_algorithm

General Cert: Issuer

The field identifies the entity that has signed and issued the certificate.

DEPENDENT cert.issuer

Preprocessing:

- JSONPATH: $.x509.issuer

General Cert: Valid from

The date on which the certificate validity period begins.

DEPENDENT cert.not_before

Preprocessing:

- JSONPATH: $.x509.not_before.timestamp

General Cert: Expires on

The date on which the certificate validity period ends.

DEPENDENT cert.not_after

Preprocessing:

- JSONPATH: $.x509.not_after.timestamp

General Cert: Subject

The field identifies the entity associated with the public key stored in the subject public key field.

DEPENDENT cert.subject

Preprocessing:

- JSONPATH: $.x509.subject

General Cert: Subject alternative name

The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).

DEPENDENT cert.alternative_names

Preprocessing:

- JSONPATH: $.x509.alternative_names

General Cert: Public key algorithm

The digital signature algorithm is used to verify the signature of a certificate.

DEPENDENT cert.public_key_algorithm

Preprocessing:

- JSONPATH: $.x509.public_key_algorithm

General Cert: Fingerprint

The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.

DEPENDENT cert.sha1_fingerprint

Preprocessing:

- JSONPATH: $.sha1_fingerprint

Zabbix_raw_items Cert: Get

Returns the JSON with attributes of a certificate of the requested site.

ZABBIX_PASSIVE web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}]

Preprocessing:

- DISCARD_UNCHANGED_HEARTBEAT: 6h

Triggers

Name Description Expression Severity Dependencies and additional info
Cert: SSL certificate is invalid

SSL certificate has expired or it is issued for another domain.

find(/TEMPLATE_NAME/cert.validation,,"like","invalid")=1 HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

(last(/TEMPLATE_NAME/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/TEMPLATE_NAME/cert.sha1_fingerprint) <> last(/TEMPLATE_NAME/cert.sha1_fingerprint,#2) INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

Articles and documentation

+ Propose new article

Didn't find what you are looking for?