Track TLS/SSL certificate validity and expiration using the new Zabbix agent 2 template.

Previously, Zabbix users had to rely on custom scripts to monitor website certificates as there was no native out-of-the-box solution to check TLS or SSL certificate validity and expiration date.

This problem has been solved with the introduction of the new WebCertificate plugin available as a part of Zabbix agent 2 5.4.4 release (also back-ported to Zabbix 5.0.15):

  • New web.certificate.get item can be used to obtain certificate details
  • Works with Zabbix agent 2, the second-generation agent
  • Connects to either host IP or DNS name with the ability to verify the hostname
  • Supports TLS and SSL certificate monitoring
  • To ensure the least performance overhead, the official Website certificate template uses master and dependent items

Check out the video to learn how to configure the "Website certificate by Zabbix agent 2" template and start monitoring your web certificates.

How to configure the “Website certificate by Zabbix agent 2” template and start monitoring your web certificates:

  1. Make sure Zabbix agent 2 is installed on the host
  2. Create a host In the Configuration → Hosts section
  3. Enter the host’s name
  4. Create a new host group or select an existing one
  5. Add an Agent interface in the host configuration
  6. Specify the IP/DNS name of the Zabbix Agent interface
  7. Switch to the Templates tab
  8. Link the template “Website certificate by Zabbix agent 2”
  9. Switch to the Macros tab
  10. Switch to the Inherited and host macros mode.
  11. Set the {$CERT.WEBSITE.HOSTNAME} macro as the website’s DNS name
  12. Save the host configuration
Tips and best practices:
  • You can test the configuration with Zabbix Get:  zabbix_get -s <zabbix_agent_addr> -k web.certificate.get[<website_DNS_name>]
  • The web.certificate.get item turns unsupported if TLS handshake fails with any error except an invalid certificate
  • If both IP and DNS are provided, the IP will be used for connection and the hostname will be used for SNI and hostname verification
  • You can override the template macros on the individual host level