Available solutions

This template is for Zabbix version: 7.4

Also available for: 7.2 7.0 6.4 6.2 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.4

Website certificate by Zabbix agent 2

Overview

This template is for monitoring a TLS/SSL certificate of a website via Zabbix agent 2, and it works without any external scripts. Zabbix agent 2 requests the certificate via the web.certificate.get key through the WebCertificate plugin and returns a JSON with certificate attributes.

Requirements

Zabbix version: 7.4 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Set up and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host with a Zabbix agent interface.

4. Link the template to the host.

5. Customize the values of the macros {$CERT.WEBSITE.HOSTNAME}, {$CERT.WEBSITE.IP}, and {$CERT.WEBSITE.PORT}. {$CERT.WEBSITE.HOSTNAME} is a required parameter in the Zabbix agent 2 web.certificate.get key, so it must have at least one value set. Other macros may be set as needed (details below). Note that multiple values can be specified, separated by commas. The corresponding values in other macros are processed in the order they are listed (see the table below for examples):

Macro	Value
{$CERT.WEBSITE.HOSTNAME}	hostname_01,hostname_02,hostname_03
{$CERT.WEBSITE.PORT}	port_01,,port_03
{$CERT.WEBSITE.IP}	,ip_02

As shown in the example above, the following websites will be discovered:

Website with the host name hostname_01 - the host name itself will be used for connection (because the address is set to an empty string); the port is port_01.
Website with the host name hostname_02 - will also be used for SNI verification; the address ip_02 will be used for connection, and the port will default to 443 (because it is set to an empty string).
Website the with host name hostname_03 - the host name itself will be used for connection (because the address is not set and treated as an empty string); the port is port_03.

For additional details, please refer to official documentation about the Zabbix agent 2 web.certificate.get key: https://www.zabbix.com/documentation/7.4/manual/config/items/itemtypes/zabbix_agent/zabbix_agent2#web.certificate.get

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website's DNS name used for the connection.	`<Enter DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website's IP address used for the connection.
{$CERT.PARAMS.CHECK}	The type of verification of input parameters. `STRICT` (default) - when an error occurs, the check stops. Any other value - erroneous records are ignored.	`STRICT`

Items

Name Description Type Key and additional info

Get data

Name	Description	Type	Key and additional info
Get data	Parses the parameters from user macros and returns a JSON string used in LLD.	Script	cert.get.data Preprocessing Discard unchanged with heartbeat: `1h`

Parses the parameters from user macros and returns a JSON string used in LLD.

Script

cert.get.data

Preprocessing

Discard unchanged with heartbeat: 1h

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Certificate: Error parse parameters	Some entries in the macro `{$CERT.WEBSITE.HOSTNAME}` are incorrect and ignored.	`jsonpath(last(/Website certificate by Zabbix agent 2/cert.get.data),"$.error.code", 0) = 1`	Warning	Manual close: Yes
Certificate: Error parse parameters	Some entries in the macro `{$CERT.WEBSITE.HOSTNAME}` are incorrect. Please edit the macros to avoid data loss.	`jsonpath(last(/Website certificate by Zabbix agent 2/cert.get.data),"$.error.code", 0) = 2`	High	Manual close: Yes

LLD rule Website discovery

Name Description Type Key and additional info

Website discovery

Dependent item

Name	Description	Type	Key and additional info
Website discovery	Dependent item	cert.website.discovery Preprocessing JSON Path: `$.data`

cert.website.discovery

Preprocessing

JSON Path: $.data

Item prototypes for Website discovery

Name	Description	Type	Key and additional info
[{#CERT.WEBSITE.ITEMNAME}]: Get	Returns a JSON with the attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{#CERT.WEBSITE.HOSTNAME},{#CERT.WEBSITE.PORT},{#CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
[{#CERT.WEBSITE.ITEMNAME}]: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.result.value`
[{#CERT.WEBSITE.ITEMNAME}]: Last validation status	Message from the latest certificate check.	Dependent item	cert.message[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.result.message`
[{#CERT.WEBSITE.ITEMNAME}]: Version	The version of the encoded certificate.	Dependent item	cert.version[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.version`
[{#CERT.WEBSITE.ITEMNAME}]: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.serial_number`
[{#CERT.WEBSITE.ITEMNAME}]: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.signature_algorithm`
[{#CERT.WEBSITE.ITEMNAME}]: Issuer	The field identifies the entity that signed and issued the certificate.	Dependent item	cert.issuer[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.issuer`
[{#CERT.WEBSITE.ITEMNAME}]: Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.not_before.timestamp`
[{#CERT.WEBSITE.ITEMNAME}]: Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.not_after.timestamp`
[{#CERT.WEBSITE.ITEMNAME}]: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.subject`
[{#CERT.WEBSITE.ITEMNAME}]: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an e-mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.alternative_names`
[{#CERT.WEBSITE.ITEMNAME}]: Public key algorithm	The digital signature algorithm used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.public_key_algorithm`
[{#CERT.WEBSITE.ITEMNAME}]: Fingerprint	The certificate signature (SHA1 fingerprint or thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.sha1_fingerprint`

Trigger prototypes for Website discovery

Name	Description	Expression	Severity	Dependencies and additional info
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid	The SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation[{#CERT.WEBSITE.ITEMNAME}],,"like","invalid")=1`	High
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after[{#CERT.WEBSITE.ITEMNAME}]) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid
Cert [{#CERT.WEBSITE.ITEMNAME}]: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}]) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}],#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 7.2

Also available for: 7.4 7.0 6.4 6.2 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.2

Website certificate by Zabbix agent 2

Overview

The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Requirements

Zabbix version: 7.2 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Certificate: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
Certificate: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Certificate: SSL certificate is invalid
Certificate: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 7.0

Also available for: 7.4 7.2 6.4 6.2 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/7.0

Website certificate by Zabbix agent 2

Overview

Requirements

Zabbix version: 7.0 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Certificate: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
Certificate: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Certificate: SSL certificate is invalid
Certificate: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 6.4

Also available for: 7.4 7.2 7.0 6.2 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.4

Website certificate by Zabbix agent 2

Overview

Requirements

Zabbix version: 6.4 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Cert: Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Cert: Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Cert: Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Cert: Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
Cert: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Cert: SSL certificate is invalid
Cert: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 6.2

Also available for: 7.4 7.2 7.0 6.4 6.0 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.2

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 6.2 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix raw items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	HIGH
Cert: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1

HIGH

Cert: SSL certificate expires soon

The SSL certificate should be updated or it will become untrusted.

(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template or ask for help with it at ZABBIX forums.

This template is for Zabbix version: 6.0

Also available for: 7.4 7.2 7.0 6.4 6.2 5.4 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/6.0

Website certificate by Zabbix agent 2

Overview

Requirements

Zabbix version: 6.0 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Cert: Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Cert: Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Cert: Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Cert: Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	High
Cert: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Cert: SSL certificate is invalid
Cert: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 5.4

Also available for: 7.4 7.2 7.0 6.4 6.2 6.0 5.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.4

Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.4 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix_raw_items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1`	HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed (new version: {ITEM.VALUE})	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

find(/Website certificate by Zabbix agent 2/cert.validation,,"like","invalid")=1

HIGH

Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

(last(/Website certificate by Zabbix agent 2/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2/cert.sha1_fingerprint,#2)

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

This template is for Zabbix version: 5.0

Also available for: 7.4 7.2 7.0 6.4 6.2 6.0 5.4

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2?at=release/5.0

Template App Website certificate by Zabbix agent 2

Overview

For Zabbix version: 5.0 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts. Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returns JSON with certificate attributes.

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Zabbix configuration

No specific Zabbix configuration is required.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.IP}	The website IP address for the connection.	``
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`

Template links

There are no template links in this template.

Discovery rules

Items collected

Group	Name	Description	Type	Key and additional info
General	Cert: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	DEPENDENT	cert.validation Preprocessing: - JSONPATH: `$.result.value`
General	Cert: Last validation status	Last check result message.	DEPENDENT	cert.message Preprocessing: - JSONPATH: `$.result.message`
General	Cert: Version	The version of the encoded certificate.	DEPENDENT	cert.version Preprocessing: - JSONPATH: `$.x509.version`
General	Cert: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	DEPENDENT	cert.serial_number Preprocessing: - JSONPATH: `$.x509.serial_number`
General	Cert: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	DEPENDENT	cert.signature_algorithm Preprocessing: - JSONPATH: `$.x509.signature_algorithm`
General	Cert: Issuer	The field identifies the entity that has signed and issued the certificate.	DEPENDENT	cert.issuer Preprocessing: - JSONPATH: `$.x509.issuer`
General	Cert: Valid from	The date on which the certificate validity period begins.	DEPENDENT	cert.not_before Preprocessing: - JSONPATH: `$.x509.not_before.timestamp`
General	Cert: Expires on	The date on which the certificate validity period ends.	DEPENDENT	cert.not_after Preprocessing: - JSONPATH: `$.x509.not_after.timestamp`
General	Cert: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	DEPENDENT	cert.subject Preprocessing: - JSONPATH: `$.x509.subject`
General	Cert: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	DEPENDENT	cert.alternative_names Preprocessing: - JSONPATH: `$.x509.alternative_names`
General	Cert: Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	DEPENDENT	cert.public_key_algorithm Preprocessing: - JSONPATH: `$.x509.public_key_algorithm`
General	Cert: Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	DEPENDENT	cert.sha1_fingerprint Preprocessing: - JSONPATH: `$.sha1_fingerprint`
Zabbix_raw_items	Cert: Get	Returns the JSON with attributes of a certificate of the requested site.	ZABBIX_PASSIVE	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing: - DISCARD_UNCHANGED_HEARTBEAT: `6h`

Triggers

Name Description Expression Severity Dependencies and additional info

Cert: SSL certificate is invalid

Name	Description	Expression	Severity	Dependencies and additional info
Cert: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`{TEMPLATE_NAME:cert.validation.str("invalid")} = 1`	HIGH
Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)	The SSL certificate should be updated or it will become untrusted.	`({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN}`	WARNING	Depends on: - Cert: SSL certificate is invalid
Cert: Fingerprint has changed (new version: {ITEM.VALUE})	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1`	INFO	Manual close: YES

SSL certificate has expired or it is issued for another domain.

{TEMPLATE_NAME:cert.validation.str("invalid")} = 1

HIGH

Cert: SSL certificate expires soon (less than {$CERT.EXPIRY.WARN} days)

The SSL certificate should be updated or it will become untrusted.

({TEMPLATE_NAME:cert.not_after.last()} - {TEMPLATE_NAME:cert.not_after.now()}) / 86400 < {$CERT.EXPIRY.WARN}

WARNING

Depends on:

- Cert: SSL certificate is invalid

Cert: Fingerprint has changed (new version: {ITEM.VALUE})

The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Ack to close.

There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.

{TEMPLATE_NAME:cert.sha1_fingerprint.diff()}=1

INFO

Manual close: YES

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide a feedback, discuss the template or ask for help with it at ZABBIX forums.

This template is for Zabbix version: 7.4

Also available for: 7.2 7.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2_active?at=release/7.4

Website certificate by Zabbix agent 2 active

Overview

Requirements

Zabbix version: 7.4 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Set up and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host with a Zabbix agent interface.

4. Link the template to the host.

Macro	Value
{$CERT.WEBSITE.HOSTNAME}	hostname_01,hostname_02,hostname_03
{$CERT.WEBSITE.PORT}	port_01,,port_03
{$CERT.WEBSITE.IP}	,ip_02

As shown in the example above, the following websites will be discovered:

Website with the host name hostname_01 - the host name itself will be used for connection (because the address is set to an empty string); the port is port_01.
Website with the host name hostname_02 - will also be used for SNI verification; the address ip_02 will be used for connection, and the port will default to 443 (because it is set to an empty string).
Website the with host name hostname_03 - the host name itself will be used for connection (because the address is not set and treated as an empty string); the port is port_03.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website's DNS name used for the connection.	`<Enter DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website's IP address used for the connection.
{$CERT.PARAMS.CHECK}	The type of verification of input parameters. `STRICT` (default) - when an error occurs, the check stops. Any other value - erroneous records are ignored.	`STRICT`

Items

Name Description Type Key and additional info

Get data

Name	Description	Type	Key and additional info
Get data	Parses the parameters from user macros and returns a JSON string used in LLD.	Script	cert.get.data Preprocessing Discard unchanged with heartbeat: `1h`

Parses the parameters from user macros and returns a JSON string used in LLD.

Script

cert.get.data

Preprocessing

Discard unchanged with heartbeat: 1h

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Certificate: Error parse parameters	Some entries in the macro `{$CERT.WEBSITE.HOSTNAME}` are incorrect and ignored.	`jsonpath(last(/Website certificate by Zabbix agent 2 active/cert.get.data),"$.error.code", 0) = 1`	Warning	Manual close: Yes
Certificate: Error parse parameters	Some entries in the macro `{$CERT.WEBSITE.HOSTNAME}` are incorrect. Please edit the macros to avoid data loss.	`jsonpath(last(/Website certificate by Zabbix agent 2 active/cert.get.data),"$.error.code", 0) = 2`	High	Manual close: Yes

LLD rule Website discovery

Name Description Type Key and additional info

Website discovery

Dependent item

Name	Description	Type	Key and additional info
Website discovery	Dependent item	cert.website.discovery Preprocessing JSON Path: `$.data`

cert.website.discovery

Preprocessing

JSON Path: $.data

Item prototypes for Website discovery

Name	Description	Type	Key and additional info
[{#CERT.WEBSITE.ITEMNAME}]: Get	Returns a JSON with the attributes of a certificate of the requested site.	Zabbix agent (active)	web.certificate.get[{#CERT.WEBSITE.HOSTNAME},{#CERT.WEBSITE.PORT},{#CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
[{#CERT.WEBSITE.ITEMNAME}]: Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.result.value`
[{#CERT.WEBSITE.ITEMNAME}]: Last validation status	Message from the latest certificate check.	Dependent item	cert.message[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.result.message`
[{#CERT.WEBSITE.ITEMNAME}]: Version	The version of the encoded certificate.	Dependent item	cert.version[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.version`
[{#CERT.WEBSITE.ITEMNAME}]: Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.serial_number`
[{#CERT.WEBSITE.ITEMNAME}]: Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.signature_algorithm`
[{#CERT.WEBSITE.ITEMNAME}]: Issuer	The field identifies the entity that signed and issued the certificate.	Dependent item	cert.issuer[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.issuer`
[{#CERT.WEBSITE.ITEMNAME}]: Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.not_before.timestamp`
[{#CERT.WEBSITE.ITEMNAME}]: Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.not_after.timestamp`
[{#CERT.WEBSITE.ITEMNAME}]: Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.subject`
[{#CERT.WEBSITE.ITEMNAME}]: Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an e-mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.alternative_names`
[{#CERT.WEBSITE.ITEMNAME}]: Public key algorithm	The digital signature algorithm used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.x509.public_key_algorithm`
[{#CERT.WEBSITE.ITEMNAME}]: Fingerprint	The certificate signature (SHA1 fingerprint or thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}] Preprocessing JSON Path: `$.sha1_fingerprint`

Trigger prototypes for Website discovery

Name	Description	Expression	Severity	Dependencies and additional info
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid	The SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2 active/cert.validation[{#CERT.WEBSITE.ITEMNAME}],,"like","invalid")=1`	High
Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2 active/cert.not_after[{#CERT.WEBSITE.ITEMNAME}]) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Cert [{#CERT.WEBSITE.ITEMNAME}]: SSL certificate is invalid
Cert [{#CERT.WEBSITE.ITEMNAME}]: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2 active/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}]) <> last(/Website certificate by Zabbix agent 2 active/cert.sha1_fingerprint[{#CERT.WEBSITE.ITEMNAME}],#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 7.2

Also available for: 7.4 7.0

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2_active?at=release/7.2

Website certificate by Zabbix agent 2 active

Overview

Requirements

Zabbix version: 7.2 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent (active)	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Certificate: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2 active/cert.validation,,"like","invalid")=1`	High
Certificate: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2 active/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Certificate: SSL certificate is invalid
Certificate: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2 active/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2 active/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

This template is for Zabbix version: 7.0

Also available for: 7.4 7.2

Source: https://git.zabbix.com/projects/ZBX/repos/zabbix/browse/templates/app/certificate_agent2_active?at=release/7.0

Website certificate by Zabbix agent 2 active

Overview

Requirements

Zabbix version: 7.0 and higher.

Tested versions

This template has been tested on:

Website TLS/SSL certificate

Configuration

Setup

1. Setup and configure zabbix-agent2 with the WebCertificate plugin.

2. Test availability: zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]

3. Create a host for the TLS/SSL certificate with Zabbix agent interface.

4. Link the template to the host.

5. Customize the value of {$CERT.WEBSITE.HOSTNAME} macro.

Macros used

Name	Description	Default
{$CERT.EXPIRY.WARN}	Number of days until the certificate expires.	`7`
{$CERT.WEBSITE.HOSTNAME}	The website DNS name for the connection.	`<Put DNS name>`
{$CERT.WEBSITE.PORT}	The TLS/SSL port number of the website.	`443`
{$CERT.WEBSITE.IP}	The website IP address for the connection.

Items

Name	Description	Type	Key and additional info
Get	Returns the JSON with attributes of a certificate of the requested site.	Zabbix agent (active)	web.certificate.get[{$CERT.WEBSITE.HOSTNAME},{$CERT.WEBSITE.PORT},{$CERT.WEBSITE.IP}] Preprocessing Discard unchanged with heartbeat: `6h`
Validation result	The certificate validation result. Possible values: valid/invalid/valid-but-self-signed	Dependent item	cert.validation Preprocessing JSON Path: `$.result.value`
Last validation status	Last check result message.	Dependent item	cert.message Preprocessing JSON Path: `$.result.message`
Version	The version of the encoded certificate.	Dependent item	cert.version Preprocessing JSON Path: `$.x509.version`
Serial number	The serial number is a positive integer assigned by the CA to each certificate. It is unique for each certificate issued by a given CA. Non-conforming CAs may issue certificates with serial numbers that are negative or zero.	Dependent item	cert.serial_number Preprocessing JSON Path: `$.x509.serial_number`
Signature algorithm	The algorithm identifier for the algorithm used by the CA to sign the certificate.	Dependent item	cert.signature_algorithm Preprocessing JSON Path: `$.x509.signature_algorithm`
Issuer	The field identifies the entity that has signed and issued the certificate.	Dependent item	cert.issuer Preprocessing JSON Path: `$.x509.issuer`
Valid from	The date on which the certificate validity period begins.	Dependent item	cert.not_before Preprocessing JSON Path: `$.x509.not_before.timestamp`
Expires on	The date on which the certificate validity period ends.	Dependent item	cert.not_after Preprocessing JSON Path: `$.x509.not_after.timestamp`
Subject	The field identifies the entity associated with the public key stored in the subject public key field.	Dependent item	cert.subject Preprocessing JSON Path: `$.x509.subject`
Subject alternative name	The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier (URI).	Dependent item	cert.alternative_names Preprocessing JSON Path: `$.x509.alternative_names`
Public key algorithm	The digital signature algorithm is used to verify the signature of a certificate.	Dependent item	cert.public_key_algorithm Preprocessing JSON Path: `$.x509.public_key_algorithm`
Fingerprint	The Certificate Signature (SHA1 Fingerprint or Thumbprint) is the hash of the entire certificate in DER form.	Dependent item	cert.sha1_fingerprint Preprocessing JSON Path: `$.sha1_fingerprint`

Triggers

Name	Description	Expression	Severity	Dependencies and additional info
Certificate: SSL certificate is invalid	SSL certificate has expired or it is issued for another domain.	`find(/Website certificate by Zabbix agent 2 active/cert.validation,,"like","invalid")=1`	High
Certificate: SSL certificate expires soon	The SSL certificate should be updated or it will become untrusted.	`(last(/Website certificate by Zabbix agent 2 active/cert.not_after) - now()) / 86400 < {$CERT.EXPIRY.WARN}`	Warning	Depends on: Certificate: SSL certificate is invalid
Certificate: Fingerprint has changed	The SSL certificate fingerprint has changed. If you did not update the certificate, it may mean your certificate has been hacked. Acknowledge to close the problem manually. There could be multiple valid certificates on some installations. In this case, the trigger will have a false positive. You can ignore it or disable the trigger.	`last(/Website certificate by Zabbix agent 2 active/cert.sha1_fingerprint) <> last(/Website certificate by Zabbix agent 2 active/cert.sha1_fingerprint,#2)`	Info	Manual close: Yes

Feedback

Please report any issues with the template at https://support.zabbix.com

You can also provide feedback, discuss the template, or ask for help at ZABBIX forums

Link	Source	Compatibility	Type, Technology	Created Updated
Script to check validity and expiration of TLS/SSL certificate for given host, port and (optional) servername. github.com/selivan/https-ssl-cert-check-zabbix	GitHub 👁 Image 282	script shell	2016-06-23 2 y	Popular
SSL check LLD Main idea is monitoring several URL with SSL in one Zabbix host. Data for LLD provide JSON file.This is originally based on https://share.zabbix.com/cat-app/web-servers/ssl-certificates-check with modifications to the script and template.Added domain registration expiration check template_domain_registration_expiration_and_ssl_certificates_check_lld	GitHub Community Templates	5.0+
Web monitoring steps from Zabbix into an LLD to also monitor them for certificate expiration Allows you to turn web monitoring steps from Zabbix into an LLD to also monitor them for certificate expiration. It requires two PHP files, two UserParameters, an SQL user with SELECT permissions and this template to get up and running. github.com/albinbatman/zabbix-ssl-monitor-template	GitHub 👁 Image 7	Template PHP	2020-08-29 3 y
Zabbix template check ssl with python script github.com/cavazquez/zabbix_template_ssl	GitHub 👁 Image 3	Templates, Scripts Python	2017-04-17 3 y
zabbix ssl certificates checking github.com/jjjbushjjj/zabbix-cert-check	GitHub 👁 Image 3	Python	2016-12-06 6 y
Simple scripts for monitoring state of ssl certificates and http codes via zabbix. github.com/tarwirdur/zabbix-https-checker	GitHub 👁 Image 3	Templates, Scripts Bash	2018-05-31 3 y
Discover and monitor SSL certificates in Zabbix Scripts, Zabbix userparameters, and Zabbix templates for monitoring SSL certificate expiration from Zabbix. github.com/nbarnum/zabbix-ssl-check	GitHub 👁 Image 1	Templates, Scripts Python	2017-10-30 4 y
Check SSL certificate for expiration Script to check ssl github.com/moobay9/zabbix-ssl-certificate-expire-check [cn]	GitHub	Templates, Scripts Bash	2015-08-07 10 y

See all Zabbix community templates

URL: https://www.zabbix.com/integrations/ssl

⇱ SSL Certificate monitoring and integration with Zabbix

Zabbix + SSL Certificate

SSL Certificate

Available solutions

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

LLD rule Website discovery

Item prototypes for Website discovery

Trigger prototypes for Website discovery

Feedback

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Requirements

Tested versions

Configuration

Setup

Macros used

Items

Triggers

Feedback

Website certificate by Zabbix agent 2

Overview

Setup

Zabbix configuration

Macros used

Template links

Discovery rules

Items collected

Triggers

Feedback

Template App Website certificate by Zabbix agent 2

Overview