logo_Zabbix

SSL Certificate Expiry Check with Zabbix on FreeBSD

Posted on Posted in FreeBSD, Templates, Zabbix

Monitoring SSL certificate expiry both internally and on the public Internet for web services is important, not only for availability of services, but also to save face.

The following shell script will do exactly that from the command line with the following syntax. Note that if your web server hosts multiple websites with SSL support on a single IP address, then server name indicator (SNI) will be in operation. In such a case, make sure to include the hostname after the port number as shown below.

N.B.There is a dependency on OpenSSL, I have yet to test with LibreSSL or any other crypto libraries.

Both files can be downloaded from share.zabbix.com Direct Link SSL Cert Check

zext_ssl_cert.sh [-i|-d] hostname port sni
     -i Show Issuer
     -d Show valid days remaining
e.g. zext_ssl_cert.sh -d jameslodge.com 443 jameslodge.com

By adding the shell script to your externalscripts folder in Zabbix and importing the template, you can monitor your SSL certificates and be notified at 90, 60, 30 7 day and expired intervals.

zext_ssl_cert.sh

#! /bin/sh
#------------------------------------------------------------
# zext_ssl_cert.sh
# Script checks for number of days until certificate expires or the issuing authority
# depending on switch passed on command line.
#
#Based on script from aperto.fr 
#(http://aperto.fr/cms/en/blog/15-blog-en/15-ssl-certificate-expiration-monitoring-with-zabbix.html)
#with additions by racooper@tamu.edu
# UPDATE BY: James Lodge
# EMAIL: email@jameslodge.com
# DATE: 05032016
#	date command changed for FreeBSD as original syntax for Linux 
#------------------------------------------------------------

DEBUG=0
if [ $DEBUG -gt 0 ]
then
    exec 2>>/tmp/my.log
    set -x
fi

f=$1
host=$2
port=$3
sni=$4
proto=$5

if [ -z "$sni" ]
then
    servername=$host
else
    servername=$sni
fi

if [ -n "$proto" ]
then
    starttls="-starttls $proto"
fi

case $f in
-d)
end_date=`openssl s_client -servername $servername -host $host -port $port -showcerts $starttls -prexit /dev/null |
          sed -n '/BEGIN CERTIFICATE/,/END CERT/p' |
          openssl x509 -text 2>/dev/null |
          sed -n 's/ *Not After : *//p'`

if [ -n "$end_date" ]
then
    end_date_seconds=`date -j -f '%b %d %H:%M:%S %Y %Z'  "$end_date" +%s`
    now_seconds=`date '+%s'`
    echo "($end_date_seconds-$now_seconds)/24/3600" | bc
fi
;;

-i)
issue_dn=`openssl s_client -servername $servername -host $host -port $port -showcerts $starttls -prexit /dev/null |
          sed -n '/BEGIN CERTIFICATE/,/END CERT/p' |
          openssl x509 -text 2>/dev/null |
          sed -n 's/ *Issuer: *//p'`

if [ -n "$issue_dn" ]
then
    issuer=`echo $issue_dn | sed -n 's/.*CN=*//p'`
    echo $issuer
fi
;;
*)
echo "usage: $0 [-i|-d] hostname port sni"
echo "    -i Show Issuer"
echo "    -d Show valid days remaining"
;;
esac

Leave a Reply

Your email address will not be published. Required fields are marked *