Open RVilhelmsen opened 7 years ago
Try to use "bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1"
Same problem.
bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomianGroup1 parse error: Expected separator between values at line 6, column 2
okay, i was missing some commas after the domain names in the sslcertsdomain.json file. Fixed this. Now i get:
jq: error: Cannot iterate over null sent: 0; skipped: 0; total: 0
Ideas?
Run the job again and this time it did not fail? bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 Zabbix 0
So what does 0 mean? I would have expected to see some items be created in Zabbix?
0 means the client can't get SSL certificate info from the website, please check you can connect to the https website, you can run this command to check: timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts </dev/null 2>/dev/null
sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts jq: error: Cannot iterate over null sent: 0; skipped: 0; total: 0
This is everytime now?
timeout 3 openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts
Certificate chain 0 s:/OU=Domain Control Validated/CN=*.kaufmann.dk i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MIIHbzCCBlegAwIBAgIMDcvhu1/BVl7U5DUNMA0GCSqGSIb3DQEBCwUAMGAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYDVQQDEy1H bG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwHhcN MTcwMjIxMDgyODQ2WhcNMTgwMjIyMDgyODQ2WjA7MSEwHwYDVQQLExhEb21haW4g Q29udHJvbCBWYWxpZGF0ZWQxFjAUBgNVBAMMDSoua2F1Zm1hbm4uZGswggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehcT1XDjrZhujaZxdGD3t66QkojE/ eIRzkyIK9Bjxoyft/A86hXVvwtYkocUsA4Bx/msWcS+hKwTQyA2VosIitaJBMgUX
So it gets the certificate.
I think your sslCertDomains.json file might not be well formatted, try this command:
cat sslCertDomains.json | jq .
cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq
jq - commandline JSON processor [version 1.3]
Usage: jq [options]
Looks as jq needs a parameter for this.
Anyway - the problem might be related to openssl cannot verify the certificate, as it cannot find the root CA - which is in /etc/ssl/certs/ca-certificates.crt If is put "-CApath /etc/ssl/certs" on the command "timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" the certificate validates with success.
But somehow even if i do export "SSL_CERT_PATH=/etc/ssl/certs/" "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" openssl do not find the CA-certificates.
Is it possible to include the -CApath in the script?
You missing a dot in the end.
cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq .
ohh
cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq . { "DomainGroup2": [ { "domain": "www.www.axel.dk" }, { "domain": "support.kaufmann.dk" }, { "domain": "www.kaufmann-store.com" } ], "DomainGroup1": [ { "domain": "www.kaufmann.dk" }, { "domain": "www.quint.dk" }, { "domain": "www.qnts.dk" }, { "domain": "www.axel.dk" }, { "domain": "support.kaufmann.dk" }, { "domain": "www.kaufmann-store.com" } ] }
I don't see any issue to check the expiry date on the json file, for debug you can comment out the zabbix sender code in sslCertExpiryCheck.sh like following:
get_SSL_Certs_Expirydate
And run the test: $ sh sslCertExpiryCheck.sh DomainGroup1 test test ssl.cert.expirydate[www.kaufmann.dk] 1519288126 test ssl.cert.expirydate[www.quint.dk] 1519288300 test ssl.cert.expirydate[www.qnts.dk] 1519288109 test ssl.cert.expirydate[www.axel.dk] 1519202543 test ssl.cert.expirydate[support.kaufmann.dk] 1513726740 test ssl.cert.expirydate[www.kaufmann-store.com] 1519287833
Dit that - no output at all. sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 test
hmm removed and reinstall openssl (1.01).
appliance@zabbix:~$ openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ Not After : //p' Feb 22 08:28:46 2018 GMT
This works.
appliance@zabbix:~$ sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix 0
But still 0 returned?
Try to add more debug:
sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix
appliance@zabbix:~$ sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix
It looks like your hostname on zabbix frontend doesn't match what you specified in the script.
Create a dummy host with hostname like "SSL-Certificates-DomainGroup1", IP: 127.0.0.1
And test again sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 SSL-Certificates-DomainGroup1
It works :)
I am very sorry. It was totally my mistake. I feel a bit stupid right now. My zabbix host was named Zabbix server - so i changed it to Zabbix.
It's giving me 0. Everything works at the steps outlined below...
[user@zabbix externalscripts]$ sudo sh -x ./sslCertExpiryCheck.sh MyGroup Zabbix
ssl cert results look ok, so you need to check zabbix agent config, such as zabbix host and zabbix server, they have to match what you set up on zabbix frontend.
I am running this on the server. Can you be more specific please?
I created a zabbix host on frontend with the name
A cron job is created on zabbix proxy as below
0 /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh
Zabbix agent config on zabbix proxy
Hostname=
sh -x /etc/zabbix/externalscripts/sslCertExpiryCheck.sh Production Zabbix
Running this gives me below error. My json domaingroup = Production and Macro = Zabbix
Got it working... I was using Zabbix Proxy... Hence the files after installing the Pre-requisites: Zabbix Sender, Openssl Client, JQ - https://stedolan.github.io/jq/
Copy the scripts and SSL configuration to zabbix external scripts directory on Zaabix Proxy Server: /usr/lib/zabbix/externalscripts
Add domains and ports to the configuration file: ssl/sslCertDomains.json
Create zabbix host and link with SSL template, add macro to the host: {$DOMAIN_GROUP}, macro value should match the group name in the SSL configuration file.
Create a cron job also on Zabbix Proxy to send data to the zabbix host, see description in "sslCertExpiryCheck.sh"
Run sh -x /etc/zabbix/externalscripts/sslCertExpiryCheck.sh Production Zabbix on Zabbix Proxy server
Hi
Running sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix gives me the following error: Expected separator between values at line 6, column 2
Thoughts?
Robert