omni-lchen / zabbix-ssl

30 stars 8 forks source link

Expected separator between values at line 6, column 2 #3

Open RVilhelmsen opened 7 years ago

RVilhelmsen commented 7 years ago

Hi

Running sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix gives me the following error: Expected separator between values at line 6, column 2

Thoughts?

Robert

omni-lchen commented 7 years ago

Try to use "bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1"

RVilhelmsen commented 7 years ago

Same problem.

bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomianGroup1 parse error: Expected separator between values at line 6, column 2

RVilhelmsen commented 7 years ago

okay, i was missing some commas after the domain names in the sslcertsdomain.json file. Fixed this. Now i get:

jq: error: Cannot iterate over null sent: 0; skipped: 0; total: 0

Ideas?

RVilhelmsen commented 7 years ago

Run the job again and this time it did not fail? bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 Zabbix 0

So what does 0 mean? I would have expected to see some items be created in Zabbix?

omni-lchen commented 7 years ago

0 means the client can't get SSL certificate info from the website, please check you can connect to the https website, you can run this command to check: timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts </dev/null 2>/dev/null

RVilhelmsen commented 7 years ago

sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts jq: error: Cannot iterate over null sent: 0; skipped: 0; total: 0

This is everytime now?

RVilhelmsen commented 7 years ago

timeout 3 openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts

CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Domain Validation CA - SHA256 - G2 verify error:num=20:unable to get local issuer certificate verify return:0

Certificate chain 0 s:/OU=Domain Control Validated/CN=*.kaufmann.dk i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MIIHbzCCBlegAwIBAgIMDcvhu1/BVl7U5DUNMA0GCSqGSIb3DQEBCwUAMGAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYDVQQDEy1H bG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwHhcN MTcwMjIxMDgyODQ2WhcNMTgwMjIyMDgyODQ2WjA7MSEwHwYDVQQLExhEb21haW4g Q29udHJvbCBWYWxpZGF0ZWQxFjAUBgNVBAMMDSoua2F1Zm1hbm4uZGswggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehcT1XDjrZhujaZxdGD3t66QkojE/ eIRzkyIK9Bjxoyft/A86hXVvwtYkocUsA4Bx/msWcS+hKwTQyA2VosIitaJBMgUX

So it gets the certificate.

omni-lchen commented 7 years ago

I think your sslCertDomains.json file might not be well formatted, try this command:

cat sslCertDomains.json | jq .

RVilhelmsen commented 7 years ago

cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq

jq - commandline JSON processor [version 1.3] Usage: jq [options] [file...]

Looks as jq needs a parameter for this.

Anyway - the problem might be related to openssl cannot verify the certificate, as it cannot find the root CA - which is in /etc/ssl/certs/ca-certificates.crt If is put "-CApath /etc/ssl/certs" on the command "timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" the certificate validates with success.

But somehow even if i do export "SSL_CERT_PATH=/etc/ssl/certs/" "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" openssl do not find the CA-certificates.

Is it possible to include the -CApath in the script?

omni-lchen commented 7 years ago

You missing a dot in the end.

cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq .

RVilhelmsen commented 7 years ago

ohh

cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq . { "DomainGroup2": [ { "domain": "www.www.axel.dk" }, { "domain": "support.kaufmann.dk" }, { "domain": "www.kaufmann-store.com" } ], "DomainGroup1": [ { "domain": "www.kaufmann.dk" }, { "domain": "www.quint.dk" }, { "domain": "www.qnts.dk" }, { "domain": "www.axel.dk" }, { "domain": "support.kaufmann.dk" }, { "domain": "www.kaufmann-store.com" } ] }

omni-lchen commented 7 years ago

I don't see any issue to check the expiry date on the json file, for debug you can comment out the zabbix sender code in sslCertExpiryCheck.sh like following:


get_SSL_Certs_Expirydate

result=$(get_SSL_Certs_Expirydate | /usr/bin/zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -i - 2>&1)

response=$(echo "$result" | awk -F ';' '$1 ~ /^info/ && match($1,/[0-9].*$/) {sum+=substr($1,RSTART,RLENGTH)} END {print sum}')

if [ -n "$response" ]; then

echo "$response"

else

echo "$result"

fi


And run the test: $ sh sslCertExpiryCheck.sh DomainGroup1 test test ssl.cert.expirydate[www.kaufmann.dk] 1519288126 test ssl.cert.expirydate[www.quint.dk] 1519288300 test ssl.cert.expirydate[www.qnts.dk] 1519288109 test ssl.cert.expirydate[www.axel.dk] 1519202543 test ssl.cert.expirydate[support.kaufmann.dk] 1513726740 test ssl.cert.expirydate[www.kaufmann-store.com] 1519287833

RVilhelmsen commented 7 years ago

Dit that - no output at all. sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 test

omni-lchen commented 7 years ago

I think you need to reinstall openssl and try:

openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ Not After : //p'

RVilhelmsen commented 7 years ago

hmm removed and reinstall openssl (1.01).

appliance@zabbix:~$ openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ Not After : //p' Feb 22 08:28:46 2018 GMT

This works.

appliance@zabbix:~$ sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix 0

But still 0 returned?

omni-lchen commented 7 years ago

Try to add more debug:

sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix

RVilhelmsen commented 7 years ago

appliance@zabbix:~$ sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix

omni-lchen commented 7 years ago

It looks like your hostname on zabbix frontend doesn't match what you specified in the script.

Create a dummy host with hostname like "SSL-Certificates-DomainGroup1", IP: 127.0.0.1

And test again sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 SSL-Certificates-DomainGroup1

RVilhelmsen commented 7 years ago

It works :)

I am very sorry. It was totally my mistake. I feel a bit stupid right now. My zabbix host was named Zabbix server - so i changed it to Zabbix.

ArjonBu commented 6 years ago

It's giving me 0. Everything works at the steps outlined below...

ArjonBu commented 6 years ago

[user@zabbix externalscripts]$ sudo sh -x ./sslCertExpiryCheck.sh MyGroup Zabbix

omni-lchen commented 6 years ago

ssl cert results look ok, so you need to check zabbix agent config, such as zabbix host and zabbix server, they have to match what you set up on zabbix frontend.

ArjonBu commented 6 years ago

I am running this on the server. Can you be more specific please?

omni-lchen commented 6 years ago

I created a zabbix host on frontend with the name , monitored by zabbix proxy, and set the value of macro on the

A cron job is created on zabbix proxy as below 0 /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh &>/dev/null

Zabbix agent config on zabbix proxy Hostname= Server=

jaipsharma commented 5 years ago

sh -x /etc/zabbix/externalscripts/sslCertExpiryCheck.sh Production Zabbix

Running this gives me below error. My json domaingroup = Production and Macro = Zabbix

jaipsharma commented 5 years ago

Got it working... I was using Zabbix Proxy... Hence the files after installing the Pre-requisites: Zabbix Sender, Openssl Client, JQ - https://stedolan.github.io/jq/

Copy the scripts and SSL configuration to zabbix external scripts directory on Zaabix Proxy Server: /usr/lib/zabbix/externalscripts

Add domains and ports to the configuration file: ssl/sslCertDomains.json

Create zabbix host and link with SSL template, add macro to the host: {$DOMAIN_GROUP}, macro value should match the group name in the SSL configuration file.

Create a cron job also on Zabbix Proxy to send data to the zabbix host, see description in "sslCertExpiryCheck.sh"

Run sh -x /etc/zabbix/externalscripts/sslCertExpiryCheck.sh Production Zabbix on Zabbix Proxy server