How to Monitor SSL Certificate Expiry with Zabbix

Monitor SSL Certificate Expiry with Zabbix

Learn how to monitor SSL certificate expiry using Zabbix with automated scripts and triggers. Avoid service disruptions by setting up alerts for expiring certificates.

Table of Contents

🔈Introduction

In today’s secure-by-default internet, SSL/TLS certificates are essential for encrypting web traffic and building user trust. However, managing and renewing these certificates across multiple servers or domains can be a challenge—especially when one expires unnoticed, leading to broken services or alarming browser warnings.

Zabbix, a powerful open-source monitoring solution, provides a reliable way to monitor the expiry of SSL certificates. In this guide, we’ll walk you through how to set up and automate SSL certificate expiry checks using Zabbix, with examples for both Linux-based proxies and native item prototypes.

đŸ€”Why Monitor SSL Certificate Expiry?

Failing to renew SSL certificates can:

  • Disrupt website availability
  • Break HTTPS services
  • Lead to service trust loss
  • Cause failed API requests or integrations
  • Damage SEO rankings due to “untrusted” domains

By automating SSL expiry monitoring, you can get notified before a certificate expires, reducing manual tracking and increasing service uptime.

🔧 Tools Required

ToolPurposeCompatible Systems
Zabbix ServerCentral Monitoring EngineDebian, RHEL, Ubuntu, CentOS
Zabbix AgentMonitoring endpointsDebian, RHEL, Windows
opensslSSL certificate inspectionAll Linux/Unix
Optional: Bash/PythonScript automationAll Linux/Unix

Zabbix Architecture Overview

In a typical monitoring setup:

  • Zabbix Server gathers data
  • Zabbix Agent on target nodes or proxy collects SSL info
  • External Scripts or User Parameters evaluate expiry dates
  • Triggers alert when expiry is near

You can monitor certificates from a remote domain (e.g. google.com) or locally stored .crt/.pem files.

How Zabbix Can Monitor SSL Certificates

Zabbix can monitor SSL expiry in three main ways:

  • Web Monitoring Item (HTTPS check)
    Checks SSL availability but doesn’t check expiry date.
  • External Script with OpenSSL
    Uses a custom script to fetch expiry data and returns remaining days.
  • UserParameter in Zabbix Agent
    Adds a custom monitoring key that executes a command locally.

For better control and insight, Method 2 or 3 is recommended.

Monitor SSL Certificate Expiry with Zabbix

Photo by admingeek from Infotechys

🔐Monitoring SSL Certificate Expiry in Zabbix: Step-by-Step Guide

Let’s monitor example.com SSL certificate and get alerts 30 days before it expires.

Create SSL Expiry Check Script

Save the following Bash script on the Zabbix Agent host:

				
					#!/bin/bash

HOST=$1
PORT=${2:-443}

end_date=$(echo | openssl s_client -servername "$HOST" -connect "$HOST:$PORT" 2>/dev/null \
  | openssl x509 -noout -enddate | cut -d= -f2)

if [ -z "$end_date" ]; then
  echo "0"
  exit 1
fi

end_ts=$(date -d "$end_date" +%s)
now_ts=$(date +%s)

diff_days=$(( (end_ts - now_ts) / 86400 ))

echo $diff_days

Make it executable:

				
					chmod +x /usr/lib/zabbix/externalscripts/ssl_check.sh

Zabbix Item Configuration

In the Zabbix frontend:

  • Host: Add or choose your existing host
  • Item Type: External Check
  • Key: ssl_check.sh["example.com"]
  • Name: SSL Certificate Expiry - example.com
  • Type of Information: Numeric (unsigned)
  • Update Interval: 1h or 6h
  • History Storage: 90d (or based on your retention)

Create Trigger for Expiry Warning

Go to Configuration > Hosts > Triggers:

Trigger Expression:

				
					{your-host:ssl_check.sh["example.com"].last()}<30

Name:

				
					SSL Certificate for example.com expires in less than 30 days

Severity: High

Add a recovery expression (optional):

				
					{your-host:ssl_check.sh["example.com"].last()}>30

Using External Script on Zabbix Agent

Zabbix supports calling scripts from:

  • /usr/lib/zabbix/externalscripts/ (for external checks)
  • /etc/zabbix/zabbix_agentd.d/ (for UserParameter)

To use it as a UserParameter, modify /etc/zabbix/zabbix_agentd.d/userparameter_ssl.conf:

				
					UserParameter=ssl.expiry[*],/usr/local/bin/ssl_check.sh $1 $2

Restart the Zabbix agent:

				
					systemctl restart zabbix-agent

Now you can call the item key: ssl.expiry[example.com,443]

Sample CLI for Debugging SSL Expiry

To manually check expiry with OpenSSL:

				
					echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null \
  | openssl x509 -noout -dates

Expected output:

				
					notBefore=Apr  1 00:00:00 2025 GMT
notAfter=Jul  1 23:59:59 2025 GMT

Convert to days left:

				
					end_date=$(openssl x509 -noout -enddate -in cert.pem | cut -d= -f2)
echo $(( ($(date -d "$end_date" +%s) - $(date +%s)) / 86400 ))

📊Zabbix Item and Trigger Matrix

ComponentValue / CommandDescription
Item TypeExternal CheckCalls external script
Keyssl_check.sh["example.com"]Checks SSL expiry in days
Trigger Expression<30Triggers when cert is <30 days left
Data TypeNumeric (unsigned)Used for calculating thresholds
Script Location/usr/lib/zabbix/externalscripts/Where Zabbix server fetches scripts

🏁 Conclusion

Monitoring SSL certificate expiry with Zabbix gives your organization a reliable, automated solution to avoid service outages and security warnings. With external scripts or agent-based checks, you can track certificate validity across domains, intranet services, or local files.

By integrating these checks into your existing Zabbix alerts and dashboards, your IT team gets full visibility—and ample warning—long before a certificate ever expires. Did you find this article helpful? Your feedback is invaluable to us! Feel free to share this post with those who may benefit, and let us know your thoughts in the comments section below.

Related Posts
Tags

Leave a Reply

Your email address will not be published. Required fields are marked *