omni-lchen
commented
7 years ago Try to use "bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1"
Open RVilhelmsen opened 7 years ago
omni-lchen
commented
7 years ago Try to use "bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1"
RVilhelmsen
commented
7 years ago Same problem.
bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomianGroup1 parse error: Expected separator between values at line 6, column 2
RVilhelmsen
commented
7 years ago okay, i was missing some commas after the domain names in the sslcertsdomain.json file. Fixed this. Now i get:
jq: error: Cannot iterate over null sent: 0; skipped: 0; total: 0
Ideas?
RVilhelmsen
commented
7 years ago Run the job again and this time it did not fail? bash /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 Zabbix 0
So what does 0 mean? I would have expected to see some items be created in Zabbix?
omni-lchen
commented
7 years ago 0 means the client can't get SSL certificate info from the website, please check you can connect to the https website, you can run this command to check: timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts </dev/null 2>/dev/null
RVilhelmsen
commented
7 years ago sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts jq: error: Cannot iterate over null sent: 0; skipped: 0; total: 0
This is everytime now?
RVilhelmsen
commented
7 years ago timeout 3 openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts
Certificate chain 0 s:/OU=Domain Control Validated/CN=*.kaufmann.dk i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2 -----BEGIN CERTIFICATE----- MIIHbzCCBlegAwIBAgIMDcvhu1/BVl7U5DUNMA0GCSqGSIb3DQEBCwUAMGAxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTYwNAYDVQQDEy1H bG9iYWxTaWduIERvbWFpbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwHhcN MTcwMjIxMDgyODQ2WhcNMTgwMjIyMDgyODQ2WjA7MSEwHwYDVQQLExhEb21haW4g Q29udHJvbCBWYWxpZGF0ZWQxFjAUBgNVBAMMDSoua2F1Zm1hbm4uZGswggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCehcT1XDjrZhujaZxdGD3t66QkojE/ eIRzkyIK9Bjxoyft/A86hXVvwtYkocUsA4Bx/msWcS+hKwTQyA2VosIitaJBMgUX
So it gets the certificate.
omni-lchen
commented
7 years ago I think your sslCertDomains.json file might not be well formatted, try this command:
cat sslCertDomains.json | jq .
RVilhelmsen
commented
7 years ago cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq
jq - commandline JSON processor [version 1.3]
Usage: jq [options]
Looks as jq needs a parameter for this.
Anyway - the problem might be related to openssl cannot verify the certificate, as it cannot find the root CA - which is in /etc/ssl/certs/ca-certificates.crt If is put "-CApath /etc/ssl/certs" on the command "timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" the certificate validates with success.
But somehow even if i do export "SSL_CERT_PATH=/etc/ssl/certs/" "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" openssl do not find the CA-certificates.
Is it possible to include the -CApath in the script?
omni-lchen
commented
7 years ago You missing a dot in the end.
cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq .
RVilhelmsen
commented
7 years ago ohh
cat /usr/lib/zabbix/externalscripts/ssl/sslCertDomains.json | jq . { "DomainGroup2": [ { "domain": "www.www.axel.dk" }, { "domain": "support.kaufmann.dk" }, { "domain": "www.kaufmann-store.com" } ], "DomainGroup1": [ { "domain": "www.kaufmann.dk" }, { "domain": "www.quint.dk" }, { "domain": "www.qnts.dk" }, { "domain": "www.axel.dk" }, { "domain": "support.kaufmann.dk" }, { "domain": "www.kaufmann-store.com" } ] }
omni-lchen
commented
7 years ago I don't see any issue to check the expiry date on the json file, for debug you can comment out the zabbix sender code in sslCertExpiryCheck.sh like following:
get_SSL_Certs_Expirydate
And run the test: $ sh sslCertExpiryCheck.sh DomainGroup1 test test ssl.cert.expirydate[www.kaufmann.dk] 1519288126 test ssl.cert.expirydate[www.quint.dk] 1519288300 test ssl.cert.expirydate[www.qnts.dk] 1519288109 test ssl.cert.expirydate[www.axel.dk] 1519202543 test ssl.cert.expirydate[support.kaufmann.dk] 1513726740 test ssl.cert.expirydate[www.kaufmann-store.com] 1519287833
RVilhelmsen
commented
7 years ago Dit that - no output at all. sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 test
omni-lchen
commented
7 years ago RVilhelmsen
commented
7 years ago hmm removed and reinstall openssl (1.01).
appliance@zabbix:~$ openssl s_client -host "www.kaufmann.dk" -port 443 -servername "www.kaufmann.dk" -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ Not After : //p' Feb 22 08:28:46 2018 GMT
This works.
appliance@zabbix:~$ sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix 0
But still 0 returned?
omni-lchen
commented
7 years ago Try to add more debug:
sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix
RVilhelmsen
commented
7 years ago appliance@zabbix:~$ sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix
omni-lchen
commented
7 years ago It looks like your hostname on zabbix frontend doesn't match what you specified in the script.
Create a dummy host with hostname like "SSL-Certificates-DomainGroup1", IP: 127.0.0.1
And test again sh -x /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 SSL-Certificates-DomainGroup1
RVilhelmsen
commented
7 years ago It works :)
I am very sorry. It was totally my mistake. I feel a bit stupid right now. My zabbix host was named Zabbix server - so i changed it to Zabbix.
ArjonBu
commented
6 years ago It's giving me 0. Everything works at the steps outlined below...
ArjonBu
commented
6 years ago [user@zabbix externalscripts]$ sudo sh -x ./sslCertExpiryCheck.sh MyGroup Zabbix
omni-lchen
commented
6 years ago ssl cert results look ok, so you need to check zabbix agent config, such as zabbix host and zabbix server, they have to match what you set up on zabbix frontend.
ArjonBu
commented
6 years ago I am running this on the server. Can you be more specific please?
omni-lchen
commented
6 years ago I created a zabbix host on frontend with the name
A cron job is created on zabbix proxy as below
0 /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh
Zabbix agent config on zabbix proxy
Hostname=
jaipsharma
commented
5 years ago sh -x /etc/zabbix/externalscripts/sslCertExpiryCheck.sh Production Zabbix
Running this gives me below error. My json domaingroup = Production and Macro = Zabbix
jaipsharma
commented
5 years ago Got it working... I was using Zabbix Proxy... Hence the files after installing the Pre-requisites: Zabbix Sender, Openssl Client, JQ - https://stedolan.github.io/jq/
Copy the scripts and SSL configuration to zabbix external scripts directory on Zaabix Proxy Server: /usr/lib/zabbix/externalscripts
Add domains and ports to the configuration file: ssl/sslCertDomains.json
Create zabbix host and link with SSL template, add macro to the host: {$DOMAIN_GROUP}, macro value should match the group name in the SSL configuration file.
Create a cron job also on Zabbix Proxy to send data to the zabbix host, see description in "sslCertExpiryCheck.sh"
Run sh -x /etc/zabbix/externalscripts/sslCertExpiryCheck.sh Production Zabbix on Zabbix Proxy server
Hi
Running sh /usr/lib/zabbix/externalscripts/sslCertExpiryCheck.sh DomainGroup1 zabbix gives me the following error: Expected separator between values at line 6, column 2
Thoughts?
Robert