How to never miss that SSL expiration notice

First of all, I wanted to say that I am aware it’s 2017 and everyone is in the cloud these days, with services like Let’s Encrypt and AWS Certificate Manager covering automatic and free SSL certificate renewal.

But even with all this automation and reminders there is a room for mistake, which, in case of SSL, might lead to a major outage — which is even more frustrating because it’s a really small thing to do.

In Zabbix, two key things you need to automate SSL expiration date monitoring are User Parameters and Discovery.

User Parameter allows you to define a custom metric in Zabbix. Basically, you can associate a UserParameter with a shell script and perform any action at configured intervals.

User Parameter in Zabbix agent

Here is the User Parameter I am using:

UserParameter=webserver.ssl.expiry[*],bash /etc/zabbix/zabbix_agentd.d/scripts/zbx_ssl.sh $1

UserParameter is first defined in Zabbix agent configuration file. It consists of two comma-separated parts:

  • item key: string, can be anything. [*] at the end of the string indicates that item can accept parameters
  • command that will be executed by Zabbix agent. If the key contains parameters, they can be used in command as $1, $2, $3 and so on

zbx_ssl.sh contains a few lines that calculate the number of days remaining for the SSL certificate. There’s a bunch of ways how this can be achieved so I will not be pasting my own here. They can be googled easily.

User Parameter for Zabbix Discovery

Zabbix Discovery takes JSON document as input and creates items based on document contents.

Here is the custom User Parameter I am using for Discovery Rule:

UserParameter=webserver.domains,bash /etc/zabbix/zabbix_agentd.d/scripts/zbx_domain_list.sh

The contents of that bash script can be found here: https://gist.github.com/sesukovs/4fad54c051c92b14c26e2ca2c42e166c

Discovery, Item and Trigger configuration

First, create new Discovery rule for your host and use webserver.domains as the key.

Next, add new item prototype:

  • Name: SSL certificate for {#DOMAIN} will expire in (days)
  • Key: webserver.ssl.expiry[{#DOMAIN}]
  • Update interval: I would recommend something around 24h. There is really no reason why you would want this to be checked every 30 seconds

Lastly, create a trigger prototype:

  • Name: {#DOMAIN} SSL certificate will expire in {ITEM.VALUE1} days!
  • Expression: webserver.ssl.expiry[{#DOMAIN}].last()}<29

This will warn you if you have less than 29 days left in your current certificate, which gives you plenty of time to check and resolve the problem before it becomes critical. You can of course adjust the time to better suit your needs.

That’s it! Now you have a list of your domains in Zabbix, each is being checked for SSL certificate expiration date and whenever you add a new domain to your server, it will be discovered and added to Zabbix automatically.

There are millions of ways how this can be improved, starting from adding this discovery rule and prototypes to a Zabbix template and to automatic agent and server configuration using Chef.

P.S.: I am using Zabbix mostly due to historical reasons. Also, because it is being developed in an office located just 5 minutes from my home (I don’t know anybody from the team personally though). I am sure the solution can be adapted to a number of other monitoring systems and/or used in a simple shell script in cron.

What matters is that you have it in place 😉

Like what you read? Give Viktors Sesukovs a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.