Need help with https-ssl-cert-check-zabbix?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

selivan
191 Stars 42 Forks Other 104 Commits 1 Opened issues

Description

Script to check validity and expiration of TLS/SSL certificate on site. May be used with Zabbix or standalone.

Services available

!
?

Need anything else?

Contributors list

# 192,465
C
nginx
Ubuntu
pxe
84 commits
# 165,005
C
aws-s3
s3
secure-...
4 commits
# 300,986
PHP
Shell
php7
persona...
4 commits
# 70,283
Go
bootstr...
hugo
openvpn
1 commit

Script to check validity and expiration of TLS/SSL certificate on remote host. Supports TLS SNI and STARTTLS for protocols like SMTP.

May be used standalone or with Zabbix. See the "Zabbix integration" section below.

Usage

ssl_cert_check.sh valid|expire  [port[/starttls protocol]] [domain for TLS SNI] [check timeout (seconds)]
  • [port]
    optional, default is 443
  • [starttls protocol]
    optional, use protocol-specific message to switch to TLS communication. See
    man s_client
    option
    -starttls
    for supported protocols, like
    smtp
    ,
    ftp
    ,
    ldap
    .
  • [domain for TLS SNI]
    optional, default is
    .
    SNI(Server Name Indication) is used to specify certificate domain name if it differs from the hostname.
  • [check timeout (seconds)]
    optional, default is 5 seconds

Return values

  • 1|0
    for validity check: 1 - valid, 0 - invalid, expired or unavailable
  • N
    number of days left for expiration check. Zero or negative value means certificate is expired
  • -65535
    site was unavailable for check timeout or incorrect script parameters

Exit code is always 0, otherwise zabbix agent fails to get item value and triggers would not work.

If the script is running without terminal(from zabbix), error messages are not printed, only exit code. The reason is that zabbix merges stdout and strerr to get an item value.

Examples

[email protected]:~$ ./ssl_cert_check.sh valid valid.example.com
1

[email protected]:~$ ./ssl_cert_check.sh valid imap.valid.example.com 993 1

SMTP on port 25 with STARTTLS to switch to TLS communication

[email protected]:~$ ./ssl_cert_check.sh valid smtp.valid.example.com 25/smtp 1

[email protected]:~$ ./ssl_cert_check.sh valid invalid.example.com 0

Expired certificate is not valid

[email protected]:~$ ./ssl_cert_check.sh valid expired.example.com 0

[email protected]:~$ ./ssl_cert_check.sh expire effective-next-90-days.example.com 90

[email protected]:~$ ./ssl_cert_check.sh expire expired-37-days-ago.example.com -37

NOTE: an error message is shown to stderr only when running on a terminal

Without terminal(from zabbix), only the result is printed to stdout

[email protected]:~$ ./ssl_cert_check.sh expire unavailable.example.com -65535 ERROR: Failed to get certificate

Check 127.0.0.1:443 for a valid certificate for example.com

TLS SNI(Server Name Indication) is set to example.com

[email protected]:~$ ./ssl_cert_check.sh valid 127.0.0.1 443 example.com 1

Check 127.0.0.1:443 for a valid certificate for example.com

TLS SNI(Server Name Indication) is set to example.com

Check timeout is 10 seconds(default is 5)

[email protected]:~$ ./ssl_cert_check.sh valid 127.0.0.1 443 example.com 10 1

Zabbix integration

Example of Zabbix user parameters is in

userparameters_ssl_cert_check.conf
.

You can write your own template or use one of two example templates in

zabbix_template_examples
directory.

basic
- basic template and userparameter for monitoring of one SSL cert per host
  • copy userparameterssslcertcheck.conf file into /etc/zabbix/zabbixagentd.d on host
  • import template in zabbix server, assign to host, fill macros on that host

advanced
- advanced template and userparameter for monitoring of multiple ssl certs per hosts
  • copy userparameterssslcertcheck.conf file into /etc/zabbix/zabbixagentd.d
  • copy and modify sslcertlist into /etc/zabbix/scripts/sslcertlist
  • import template in zabbix server, assign to host, either run discovery or wait

Using with busybox, like Alpine-based Docker images

Busybox

date
can not parse date format from
openssl
. If you are using the script in busybox, for example in Alpine-based Docker images, install
coreutils
and
bash
packages.

P.S. If this code is useful for you - don't forget to put a star on it's github repo.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.