SSL

Transport Layer Security, the successor of the now-deprecated Secure Sockets Layer, is a cryptographic protocol designed to provide communications security over a computer network.

Available solutions

Cloudflare by HTTP
3rd party solutions

This template is for Zabbix version: 5.4

Also available for: 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.4

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.4 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

See Zabbix template operation for basic instructions.

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix_raw_items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/TEMPLATE_NAME/cert.validation,,"like","invalid")=1`	HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)	The SSL certificate should be updated or it will become untrusted.	`(last(/TEMPLATE_NAME/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed (new version: {ITEM.VALUE})	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/TEMPLATE_NAME/cert.sha1_fingerprint) <> last(/TEMPLATE_NAME/cert.sha1_fingerprint,#2)`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

find(/TEMPLATE_NAME/cert.validation,,"like","invalid")=1

HIGH

Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

(last(/TEMPLATE_NAME/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/TEMPLATE_NAME/cert.sha1_fingerprint) <> last(/TEMPLATE_NAME/cert.sha1_fingerprint,#2)

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

This template is for Zabbix version: 5.0

Also available for: 5.4

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.0

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.0 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

See Zabbix template operation for basic instructions.

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix_raw_items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`{TEMPLATE_NAME:cert.validation.str("invalid")} = 1`	HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)	The SSL certificate should be updated or it will become untrusted.	`({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed (new version: {ITEM.VALUE})	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

{TEMPLATE_NAME:cert.validation.str("invalid")} = 1

HIGH

Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

Link	Source	Type, Technology	Created Updated	Rating
Zabbix check SSL certificates This script and the templates allow your zabbix server to validate SSL certificates. It supports direct SSL/HTTPS checks as well as STARTTLS connections. Multiple SSL certificates per IP address can be checked ✔ Zabbix Agent ✔ Custom Script github.com/a-schild/zabbix-ssl share.zabbix.com/ssl-monitoring-of-mail-ftp-web-xmpp-server	share.zabbix.com	Template, script shell shell	2016-07-26 5 y	Popular
Website metrics, poor description on share ✔ Zabbix Trapper github.com/itmicus/zabbix/tree/master/Template%20Web%20Site share.zabbix.com/website-metrics	share.zabbix.com		2018-04-23 3 y
Script to check validity and expiration of TLS/SSL certificate for given host, port and (optional) servername. github.com/selivan/https-ssl-cert-check-zabbix	GitHub 194	script shell	2016-06-23 14 d	Popular
Web monitoring steps from Zabbix into an LLD to also monitor them for certificate expiration Allows you to turn web monitoring steps from Zabbix into an LLD to also monitor them for certificate expiration. It requires two PHP files, two UserParameters, an SQL user with SELECT permissions and this template to get up and running. github.com/albinbatman/zabbix-ssl-monitor-template	GitHub 6	Template PHP	2020-08-29 8 m
zabbix ssl certificates checking github.com/jjjbushjjj/zabbix-cert-check	GitHub 3	Python	2016-12-06 1 y
Zabbix template check ssl with python script github.com/cavazquez/zabbix_template_ssl	GitHub 2	Templates, Scripts Python	2017-04-17 2 y
Discover and monitor SSL certificates in Zabbix Scripts, Zabbix userparameters, and Zabbix templates for monitoring SSL certificate expiration from Zabbix. github.com/nbarnum/zabbix-ssl-check	GitHub 1	Templates, Scripts Python	2017-10-30 2 y
Simple scripts for monitoring state of ssl certificates and http codes via zabbix. github.com/tarwirdur/zabbix-https-checker	GitHub 1	Templates, Scripts Bash	2018-05-31 8 m
Check SSL certificate for expiration Script to check ssl github.com/moobay9/zabbix-ssl-certificate-expire-check [cn]	GitHub	Templates, Scripts Bash	2015-08-07 6 y

+ Propose new solution

Articles and documentation

+ Propose new article

Zabbix + SSL

SSL

Available solutions

Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Articles and documentation

Didn't find what you are looking for?

Request custom integration

Propose your integration