Monitoring SSL Certificate Expiration with Zabbix Using a Shell Script

As the number of projects and systems grows, it becomes necessary to monitor SSL certificates to prevent service outages.

The provided check_ssl.sh script accepts a host and port, retrieves the certificate's expiration date using openssl , converts the date to seconds, compares it with the current time, and outputs the remaining days.

#!/bin/sh host=$1 port=$2 end_date=`openssl s_client -servername $host -host $host -port $port -showcerts /dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p'` if [ -n "$end_date" ]; then end_date_seconds=`date '+%s' --date "$end_date"` now_seconds=`date '+%s'` echo "($end_date_seconds-$now_seconds)/24/3600" | bc fi

1. Configure Zabbix Agent : Add a UserParameter=check_ssl[*],/usr/local/zabbix/etc/check_ssl.sh $1 $2 entry to the agent configuration.

2. Test the Script : Run sh -x check_ssl.sh example.com 443 to verify correct output.

3. Configure Zabbix Monitoring :

Create a monitoring item that calls the user parameter.

Set up a trigger such as "example.com 443 SSL certificate expires in 10 days".

Design graphs to visualize certificate validity periods.

Test the alarm to ensure notifications are sent when the certificate approaches expiration.

Following these steps provides automated SSL certificate monitoring within Zabbix, helping maintain service reliability.