This template is for Zabbix version: 7.4
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.4
Website certificate by Zabbix agent 2
Overview
This template is for monitoring a TLS/SSL certificate of a website via Zabbix agent 2, and it works without any external scripts.
Zabbix agent 2 requests the certificate via the web.certificate.get
key through the WebCertificate plugin and returns a JSON with certificate attributes.
Requirements
Zabbix version: 7.4 and higher.
Tested versions
This template has been tested on:
- Website TLS/SSL certificate
Configuration
Zabbix should be configured according to the instructions in the Templates out of the box section.
Setup
1. Set up and configure zabbix-agent2
with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host with a Zabbix agent interface.
4. Link the template to the host.
5. Customize the values of the macros {$CERT.WEBSITE.HOSTNAME}
, {$CERT.WEBSITE.IP}
, and {$CERT.WEBSITE.PORT}
. {$CERT.WEBSITE.HOSTNAME}
is a required parameter in the Zabbix agent 2 web.certificate.get
key, so it must have at least one value set. Other macros may be set as needed (details below). Note that multiple values can be specified, separated by commas. The corresponding values in other macros are processed in the order they are listed (see the table below for examples):
Macro |
Value |
{$CERT.WEBSITE.HOSTNAME} |
hostname_01,hostname_02,hostname_03 |
{$CERT.WEBSITE.PORT} |
port_01,,port_03 |
{$CERT.WEBSITE.IP} |
,ip_02 |
As shown in the example above, the following websites will be discovered:
- Website with the host name
hostname_01
- the host name itself will be used for connection (because the address is set to an empty string); the port is port_01
.
- Website with the host name
hostname_02
- will also be used for SNI verification; the address ip_02
will be used for connection, and the port will default to 443 (because it is set to an empty string).
- Website the with host name
hostname_03
- the host name itself will be used for connection (because the address is not set and treated as an empty string); the port is port_03
.
For additional details, please refer to official documentation about the Zabbix agent 2 web.certificate.get
key:
https://www.zabbix.com/documentation/7.4/manual/config/items/itemtypes/zabbix_agent/zabbix_agent2#web.certificate.get
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website's DNS name used for the connection. |
<Enter DNS name> |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
{$CERT.WEBSITE.IP} |
The website's IP address used for the connection. |
|
{$CERT.PARAMS.CHECK} |
The type of verification of input parameters. STRICT (default) - when an error occurs, the check stops.
Any other value - erroneous records are ignored. |
STRICT |
Items
Name |
Description |
Type |
Key and additional info |
Get data |
Parses the parameters from user macros and returns a JSON string used in LLD. |
Script |
cert.get.data Preprocessing |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Certificate: Error parse parameters |
Some entries in the macro {$CERT.WEBSITE.HOSTNAME} are incorrect and ignored. |
jsonpath(last(/Website certificate by Zabbix agent 2/cert.get.data),"$.error.code", 0) = 1 |
Warning |
Manual close: Yes |
Certificate: Error parse parameters |
Some entries in the macro {$CERT.WEBSITE.HOSTNAME} are incorrect. Please edit the macros to avoid data loss. |
jsonpath(last(/Website certificate by Zabbix agent 2/cert.get.data),"$.error.code", 0) = 2 |
High |
Manual close: Yes |
LLD rule Website discovery
Name |
Description |
Type |
Key and additional info |
Website discovery |
|
Dependent item |
cert.website.discovery Preprocessing |
Item prototypes for Website discovery
Name |
Description |
Type |
Key and additional info |
[{#CERT.WEBSITE.ITEMNAME}]: Get |
Returns a JSON with the attributes of a certificate of the requested site. |
Zabbix agent |
web.certificate.get[{#CERT.WEBSITE.HOSTNAME},{#CERT.WEBSITE.PORT},{#CERT.WEBSITE.IP}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
Dependent item |
cert.validation[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Last validation status |
Message from the latest certificate check. |
Dependent item |
cert.message[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Version |
The version of the encoded certificate. |
Dependent item |
cert.version[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
Dependent item |
cert.serial_number[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
Dependent item |
cert.signature_algorithm[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Issuer |
The field identifies the entity that signed and issued the certificate. |
Dependent item |
cert.issuer[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Valid from |
The date on which the certificate validity period begins. |
Dependent item |
cert.not_before[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Expires on |
The date on which the certificate validity period ends. |
Dependent item |
cert.not_after[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
Dependent item |
cert.subject[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an e-mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
Dependent item |
cert.alternative_names[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Public key algorithm |
The digital signature algorithm used to verify the signature of a certificate. |
Dependent item |
cert.public_key_algorithm[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
[{#CERT.WEBSITE.ITEMNAME}]: Fingerprint |
The certificate signature (SHA1 fingerprint or thumbprint) is the hash of the entire certificate in DER form. |
Dependent item |
cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}] Preprocessing |
Trigger prototypes for Website discovery
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid |
The SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation[{#CERT.WEBSITE.ITEMNAME}],,"like","invalid")=1 |
High |
|
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate expires soon |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after[{#CERT.WEBSITE.ITEMNAME}]) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
Warning |
Depends on:
- Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid
|
Cert [{#CERT.WEBSITE.ITEMNAME}]: Fingerprint has changed |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}]) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}],#2) |
Info |
Manual close: Yes |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template, or ask for help at ZABBIX forums
This template is for Zabbix version: 7.2
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.2
Website certificate by Zabbix agent 2
Overview
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Requirements
Zabbix version: 7.2 and higher.
Tested versions
This template has been tested on:
- Website TLS/SSL certificate
Configuration
Zabbix should be configured according to the instructions in the Templates out of the box section.
Setup
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
|
Items
Name |
Description |
Type |
Key and additional info |
Get |
Returns the JSON with attributes of a certificate of the requested site. |
Zabbix agent |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing |
Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
Dependent item |
cert.validation Preprocessing |
Last validation status |
Last check result message. |
Dependent item |
cert.message Preprocessing |
Version |
The version of the encoded certificate. |
Dependent item |
cert.version Preprocessing |
Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
Dependent item |
cert.serial_number Preprocessing |
Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
Dependent item |
cert.signature_algorithm Preprocessing |
Issuer |
The field identifies the entity that has signed and issued the certificate. |
Dependent item |
cert.issuer Preprocessing |
Valid from |
The date on which the certificate validity period begins. |
Dependent item |
cert.not_before Preprocessing |
Expires on |
The date on which the certificate validity period ends. |
Dependent item |
cert.not_after Preprocessing |
Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
Dependent item |
cert.subject Preprocessing |
Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
Dependent item |
cert.alternative_names Preprocessing |
Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
Dependent item |
cert.public_key_algorithm Preprocessing |
Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
Dependent item |
cert.sha1_fingerprint Preprocessing |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Certificate: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1 |
High |
|
Certificate: SSL certificate expires soon |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
Warning |
Depends on:
- Certificate: SSL certificate is invalid
|
Certificate: Fingerprint has changed |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2) |
Info |
Manual close: Yes |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template, or ask for help at ZABBIX forums
This template is for Zabbix version: 7.0
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.0
Website certificate by Zabbix agent 2
Overview
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Requirements
Zabbix version: 7.0 and higher.
Tested versions
This template has been tested on:
- Website TLS/SSL certificate
Configuration
Zabbix should be configured according to the instructions in the Templates out of the box section.
Setup
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
|
Items
Name |
Description |
Type |
Key and additional info |
Get |
Returns the JSON with attributes of a certificate of the requested site. |
Zabbix agent |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing |
Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
Dependent item |
cert.validation Preprocessing |
Last validation status |
Last check result message. |
Dependent item |
cert.message Preprocessing |
Version |
The version of the encoded certificate. |
Dependent item |
cert.version Preprocessing |
Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
Dependent item |
cert.serial_number Preprocessing |
Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
Dependent item |
cert.signature_algorithm Preprocessing |
Issuer |
The field identifies the entity that has signed and issued the certificate. |
Dependent item |
cert.issuer Preprocessing |
Valid from |
The date on which the certificate validity period begins. |
Dependent item |
cert.not_before Preprocessing |
Expires on |
The date on which the certificate validity period ends. |
Dependent item |
cert.not_after Preprocessing |
Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
Dependent item |
cert.subject Preprocessing |
Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
Dependent item |
cert.alternative_names Preprocessing |
Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
Dependent item |
cert.public_key_algorithm Preprocessing |
Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
Dependent item |
cert.sha1_fingerprint Preprocessing |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Certificate: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1 |
High |
|
Certificate: SSL certificate expires soon |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
Warning |
Depends on:
- Certificate: SSL certificate is invalid
|
Certificate: Fingerprint has changed |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2) |
Info |
Manual close: Yes |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template, or ask for help at ZABBIX forums
This template is for Zabbix version: 6.4
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.4
Website certificate by Zabbix agent 2
Overview
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Requirements
Zabbix version: 6.4 and higher.
Tested versions
This template has been tested on:
- Website TLS/SSL certificate
Configuration
Zabbix should be configured according to the instructions in the Templates out of the box section.
Setup
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
|
Items
Name |
Description |
Type |
Key and additional info |
Cert: Get |
Returns the JSON with attributes of a certificate of the requested site. |
Zabbix agent |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing |
Cert: Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
Dependent item |
cert.validation Preprocessing |
Cert: Last validation status |
Last check result message. |
Dependent item |
cert.message Preprocessing |
Cert: Version |
The version of the encoded certificate. |
Dependent item |
cert.version Preprocessing |
Cert: Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
Dependent item |
cert.serial_number Preprocessing |
Cert: Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
Dependent item |
cert.signature_algorithm Preprocessing |
Cert: Issuer |
The field identifies the entity that has signed and issued the certificate. |
Dependent item |
cert.issuer Preprocessing |
Cert: Valid from |
The date on which the certificate validity period begins. |
Dependent item |
cert.not_before Preprocessing |
Cert: Expires on |
The date on which the certificate validity period ends. |
Dependent item |
cert.not_after Preprocessing |
Cert: Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
Dependent item |
cert.subject Preprocessing |
Cert: Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
Dependent item |
cert.alternative_names Preprocessing |
Cert: Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
Dependent item |
cert.public_key_algorithm Preprocessing |
Cert: Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
Dependent item |
cert.sha1_fingerprint Preprocessing |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Cert: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1 |
High |
|
Cert: SSL certificate expires soon |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
Warning |
Depends on:
- Cert: SSL certificate is invalid
|
Cert: Fingerprint has changed |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2) |
Info |
Manual close: Yes |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template, or ask for help at ZABBIX forums
This template is for Zabbix version: 6.2
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.2
Website certificate by Zabbix agent 2
Overview
For Zabbix version: 6.2 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Setup
See Zabbix template operation for basic instructions.
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Zabbix configuration
No specific Zabbix configuration is required.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
`` |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
Template links
There are no template links in this template.
Discovery rules
Items collected
Group |
Name |
Description |
Type |
Key and additional info |
General |
Cert: Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
DEPENDENT |
cert.validation Preprocessing: - JSONPATH: $.result.value |
General |
Cert: Last validation status |
Last check result message. |
DEPENDENT |
cert.message Preprocessing: - JSONPATH: $.result.message |
General |
Cert: Version |
The version of the encoded certificate. |
DEPENDENT |
cert.version Preprocessing: - JSONPATH: $.x509.version |
General |
Cert: Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
DEPENDENT |
cert.serial_number Preprocessing: - JSONPATH: $.x509.serial_number |
General |
Cert: Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
DEPENDENT |
cert.signature_algorithm Preprocessing: - JSONPATH: $.x509.signature_algorithm |
General |
Cert: Issuer |
The field identifies the entity that has signed and issued the certificate. |
DEPENDENT |
cert.issuer Preprocessing: - JSONPATH: $.x509.issuer |
General |
Cert: Valid from |
The date on which the certificate validity period begins. |
DEPENDENT |
cert.not_before Preprocessing: - JSONPATH: $.x509.not_before.timestamp |
General |
Cert: Expires on |
The date on which the certificate validity period ends. |
DEPENDENT |
cert.not_after Preprocessing: - JSONPATH: $.x509.not_after.timestamp |
General |
Cert: Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
DEPENDENT |
cert.subject Preprocessing: - JSONPATH: $.x509.subject |
General |
Cert: Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
DEPENDENT |
cert.alternative_names Preprocessing: - JSONPATH: $.x509.alternative_names |
General |
Cert: Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
DEPENDENT |
cert.public_key_algorithm Preprocessing: - JSONPATH: $.x509.public_key_algorithm |
General |
Cert: Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
DEPENDENT |
cert.sha1_fingerprint Preprocessing: - JSONPATH: $.sha1_fingerprint |
Zabbix raw items |
Cert: Get |
Returns the JSON with attributes of a certificate of the requested site. |
ZABBIX_PASSIVE |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: 6h |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Cert: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1 |
HIGH |
|
Cert: SSL certificate expires soon |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
WARNING |
Depends on: - Cert: SSL certificate is invalid |
Cert: Fingerprint has changed |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2) |
INFO |
Manual close: YES |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template or ask for help with it at ZABBIX forums.
This template is for Zabbix version: 6.0
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.0
Website certificate by Zabbix agent 2
Overview
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Requirements
Zabbix version: 6.0 and higher.
Tested versions
This template has been tested on:
- Website TLS/SSL certificate
Configuration
Zabbix should be configured according to the instructions in the Templates out of the box section.
Setup
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
|
Items
Name |
Description |
Type |
Key and additional info |
Cert: Get |
Returns the JSON with attributes of a certificate of the requested site. |
Zabbix agent |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing |
Cert: Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
Dependent item |
cert.validation Preprocessing |
Cert: Last validation status |
Last check result message. |
Dependent item |
cert.message Preprocessing |
Cert: Version |
The version of the encoded certificate. |
Dependent item |
cert.version Preprocessing |
Cert: Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
Dependent item |
cert.serial_number Preprocessing |
Cert: Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
Dependent item |
cert.signature_algorithm Preprocessing |
Cert: Issuer |
The field identifies the entity that has signed and issued the certificate. |
Dependent item |
cert.issuer Preprocessing |
Cert: Valid from |
The date on which the certificate validity period begins. |
Dependent item |
cert.not_before Preprocessing |
Cert: Expires on |
The date on which the certificate validity period ends. |
Dependent item |
cert.not_after Preprocessing |
Cert: Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
Dependent item |
cert.subject Preprocessing |
Cert: Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
Dependent item |
cert.alternative_names Preprocessing |
Cert: Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
Dependent item |
cert.public_key_algorithm Preprocessing |
Cert: Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
Dependent item |
cert.sha1_fingerprint Preprocessing |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Cert: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1 |
High |
|
Cert: SSL certificate expires soon |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
Warning |
Depends on:
- Cert: SSL certificate is invalid
|
Cert: Fingerprint has changed |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2) |
Info |
Manual close: Yes |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide feedback, discuss the template, or ask for help at ZABBIX forums
This template is for Zabbix version: 5.4
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.4
Website certificate by Zabbix agent 2
Overview
For Zabbix version: 5.4 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Setup
See Zabbix template operation for basic instructions.
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Zabbix configuration
No specific Zabbix configuration is required.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
`` |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
Template links
There are no template links in this template.
Discovery rules
Items collected
Group |
Name |
Description |
Type |
Key and additional info |
General |
Cert: Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
DEPENDENT |
cert.validation Preprocessing: - JSONPATH: $.result.value |
General |
Cert: Last validation status |
Last check result message. |
DEPENDENT |
cert.message Preprocessing: - JSONPATH: $.result.message |
General |
Cert: Version |
The version of the encoded certificate. |
DEPENDENT |
cert.version Preprocessing: - JSONPATH: $.x509.version |
General |
Cert: Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
DEPENDENT |
cert.serial_number Preprocessing: - JSONPATH: $.x509.serial_number |
General |
Cert: Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
DEPENDENT |
cert.signature_algorithm Preprocessing: - JSONPATH: $.x509.signature_algorithm |
General |
Cert: Issuer |
The field identifies the entity that has signed and issued the certificate. |
DEPENDENT |
cert.issuer Preprocessing: - JSONPATH: $.x509.issuer |
General |
Cert: Valid from |
The date on which the certificate validity period begins. |
DEPENDENT |
cert.not_before Preprocessing: - JSONPATH: $.x509.not_before.timestamp |
General |
Cert: Expires on |
The date on which the certificate validity period ends. |
DEPENDENT |
cert.not_after Preprocessing: - JSONPATH: $.x509.not_after.timestamp |
General |
Cert: Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
DEPENDENT |
cert.subject Preprocessing: - JSONPATH: $.x509.subject |
General |
Cert: Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
DEPENDENT |
cert.alternative_names Preprocessing: - JSONPATH: $.x509.alternative_names |
General |
Cert: Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
DEPENDENT |
cert.public_key_algorithm Preprocessing: - JSONPATH: $.x509.public_key_algorithm |
General |
Cert: Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
DEPENDENT |
cert.sha1_fingerprint Preprocessing: - JSONPATH: $.sha1_fingerprint |
Zabbix_raw_items |
Cert: Get |
Returns the JSON with attributes of a certificate of the requested site. |
ZABBIX_PASSIVE |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: 6h |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Cert: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1 |
HIGH |
|
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days) |
The SSL certificate should be updated or it will become untrusted. |
(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN} |
WARNING |
Depends on: - Cert: SSL certificate is invalid |
Cert: Fingerprint has changed (new version: {ITEM.VALUE}) |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2) |
INFO |
Manual close: YES |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.
This template is for Zabbix version: 5.0
Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.0
Template App Website certificate by Zabbix agent 2
Overview
For Zabbix version: 5.0 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.
Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns
JSON with certificate attributes.
Setup
See Zabbix template operation for basic instructions.
1. Setup and configure zabbix-agent2 with the WebCertificate plugin.
2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
3. Create a host for the TLS/SSL certificate with Zabbix agent interface.
4. Link the template to the host.
5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.
Zabbix configuration
No specific Zabbix configuration is required.
Macros used
Name |
Description |
Default |
{$CERT.EXPIRY.WARN} |
Number of days until the certificate expires. |
7 |
{$CERT.WEBSITE.HOSTNAME} |
The website DNS name for the connection. |
<Put DNS name> |
{$CERT.WEBSITE.IP} |
The website IP address for the connection. |
`` |
{$CERT.WEBSITE.PORT} |
The TLS/SSL port number of the website. |
443 |
Template links
There are no template links in this template.
Discovery rules
Items collected
Group |
Name |
Description |
Type |
Key and additional info |
General |
Cert: Validation result |
The certificate validation result. Possible values: valid/invalid/valid-but-self-signed |
DEPENDENT |
cert.validation Preprocessing: - JSONPATH: $.result.value |
General |
Cert: Last validation status |
Last check result message. |
DEPENDENT |
cert.message Preprocessing: - JSONPATH: $.result.message |
General |
Cert: Version |
The version of the encoded certificate. |
DEPENDENT |
cert.version Preprocessing: - JSONPATH: $.x509.version |
General |
Cert: Serial number |
The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero. |
DEPENDENT |
cert.serial_number Preprocessing: - JSONPATH: $.x509.serial_number |
General |
Cert: Signature algorithm |
The algorithm identifier for the algorithm used by the CA to sign the certificate. |
DEPENDENT |
cert.signature_algorithm Preprocessing: - JSONPATH: $.x509.signature_algorithm |
General |
Cert: Issuer |
The field identifies the entity that has signed and issued the certificate. |
DEPENDENT |
cert.issuer Preprocessing: - JSONPATH: $.x509.issuer |
General |
Cert: Valid from |
The date on which the certificate validity period begins. |
DEPENDENT |
cert.not_before Preprocessing: - JSONPATH: $.x509.not_before.timestamp |
General |
Cert: Expires on |
The date on which the certificate validity period ends. |
DEPENDENT |
cert.not_after Preprocessing: - JSONPATH: $.x509.not_after.timestamp |
General |
Cert: Subject |
The field identifies the entity associated with the public key stored in the subject public key field. |
DEPENDENT |
cert.subject Preprocessing: - JSONPATH: $.x509.subject |
General |
Cert: Subject alternative name |
The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI). |
DEPENDENT |
cert.alternative_names Preprocessing: - JSONPATH: $.x509.alternative_names |
General |
Cert: Public key algorithm |
The digital signature algorithm is used to verify the signature of a certificate. |
DEPENDENT |
cert.public_key_algorithm Preprocessing: - JSONPATH: $.x509.public_key_algorithm |
General |
Cert: Fingerprint |
The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form. |
DEPENDENT |
cert.sha1_fingerprint Preprocessing: - JSONPATH: $.sha1_fingerprint |
Zabbix_raw_items |
Cert: Get |
Returns the JSON with attributes of a certificate of the requested site. |
ZABBIX_PASSIVE |
web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: 6h |
Triggers
Name |
Description |
Expression |
Severity |
Dependencies and additional info |
Cert: SSL certificate is invalid |
SSL certificate has expired or it is issued for another domain. |
{TEMPLATE_NAME:cert.validation.str("invalid")} = 1 |
HIGH |
|
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days) |
The SSL certificate should be updated or it will become untrusted. |
({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN} |
WARNING |
Depends on: - Cert: SSL certificate is invalid |
Cert: Fingerprint has changed (new version: {ITEM.VALUE}) |
The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger. |
{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1 |
INFO |
Manual close: YES |
Feedback
Please report any issues with the template at https://support.zabbix.com
You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.