From 85704219176b79b5e9687fc328d73acb2258f78c Mon Sep 17 00:00:00 2001
From: Long Chen <long.chen@smartfocus.com>
Date: Wed, 3 May 2017 15:28:43 +0100
Subject: [PATCH] Initial commit.

---
 README.md                                     |  16 +-
 Templates/SSL_Certificates.xml                | 189 ++++++++++++++++++
 .../ssl/sslCertDomains.json                   |  12 ++
 zabbix-externalscripts/sslCertExpiryCheck.sh  |  38 ++++
 zabbix-externalscripts/sslDomainsDiscovery.sh |  16 ++
 5 files changed, 270 insertions(+), 1 deletion(-)
 create mode 100644 Templates/SSL_Certificates.xml
 create mode 100644 zabbix-externalscripts/ssl/sslCertDomains.json
 create mode 100644 zabbix-externalscripts/sslCertExpiryCheck.sh
 create mode 100644 zabbix-externalscripts/sslDomainsDiscovery.sh

diff --git a/README.md b/README.md
index 66d151c..4edc5f3 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,15 @@
-# zabbix-ssl
\ No newline at end of file
+# Zabbix-SSL
+
+SSL certificates expiry date monitoring separated by groups.
+
+**Installation**
+
+Pre-requisite: Zabbix Sender, Openssl Client, JQ - https://stedolan.github.io/jq/
+
+1. Copy the scripts and SSL configuration to zabbix external scripts directory: /usr/lib/zabbix/externalscripts
+
+2. Add domains to the configuration file: ssl/sslCertDomains.json
+
+3. Create zabbix host and link with SSL template, add macro to the host: {$DOMAIN_GROUP}, macro value should match the group name in the SSL configuration file.
+
+4. Create a cron job to send data to the zabbix host, see description in "sslCertExpiryCheck.sh"
diff --git a/Templates/SSL_Certificates.xml b/Templates/SSL_Certificates.xml
new file mode 100644
index 0000000..b898811
--- /dev/null
+++ b/Templates/SSL_Certificates.xml
@@ -0,0 +1,189 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<zabbix_export>
+    <version>3.2</version>
+    <date>2017-05-03T14:19:38Z</date>
+    <groups>
+        <group>
+            <name>Templates</name>
+        </group>
+    </groups>
+    <templates>
+        <template>
+            <template>SSL_Certificates</template>
+            <name>SSL_Certificates</name>
+            <description>Check ssl certificate expire date</description>
+            <groups>
+                <group>
+                    <name>Templates</name>
+                </group>
+            </groups>
+            <applications>
+                <application>
+                    <name>SSL Certificate</name>
+                </application>
+            </applications>
+            <items/>
+            <discovery_rules>
+                <discovery_rule>
+                    <name>Domain discovery</name>
+                    <type>10</type>
+                    <snmp_community/>
+                    <snmp_oid/>
+                    <key>sslDomainsDiscovery.sh[{$DOMAIN_GROUP}]</key>
+                    <delay>3600</delay>
+                    <status>0</status>
+                    <allowed_hosts/>
+                    <snmpv3_contextname/>
+                    <snmpv3_securityname/>
+                    <snmpv3_securitylevel>0</snmpv3_securitylevel>
+                    <snmpv3_authprotocol>0</snmpv3_authprotocol>
+                    <snmpv3_authpassphrase/>
+                    <snmpv3_privprotocol>0</snmpv3_privprotocol>
+                    <snmpv3_privpassphrase/>
+                    <delay_flex/>
+                    <params/>
+                    <ipmi_sensor/>
+                    <authtype>0</authtype>
+                    <username/>
+                    <password/>
+                    <publickey/>
+                    <privatekey/>
+                    <port/>
+                    <filter>
+                        <evaltype>0</evaltype>
+                        <formula/>
+                        <conditions/>
+                    </filter>
+                    <lifetime>1</lifetime>
+                    <description/>
+                    <item_prototypes>
+                        <item_prototype>
+                            <name>SSLCert::$1::expiry date</name>
+                            <type>2</type>
+                            <snmp_community/>
+                            <multiplier>0</multiplier>
+                            <snmp_oid/>
+                            <key>ssl.cert.expirydate[{#DOMAIN}]</key>
+                            <delay>0</delay>
+                            <history>28</history>
+                            <trends>365</trends>
+                            <status>0</status>
+                            <value_type>3</value_type>
+                            <allowed_hosts/>
+                            <units>unixtime</units>
+                            <delta>0</delta>
+                            <snmpv3_contextname/>
+                            <snmpv3_securityname/>
+                            <snmpv3_securitylevel>0</snmpv3_securitylevel>
+                            <snmpv3_authprotocol>0</snmpv3_authprotocol>
+                            <snmpv3_authpassphrase/>
+                            <snmpv3_privprotocol>0</snmpv3_privprotocol>
+                            <snmpv3_privpassphrase/>
+                            <formula>1</formula>
+                            <delay_flex/>
+                            <params/>
+                            <ipmi_sensor/>
+                            <data_type>0</data_type>
+                            <authtype>0</authtype>
+                            <username/>
+                            <password/>
+                            <publickey/>
+                            <privatekey/>
+                            <port/>
+                            <description>Check expiry date of SSL certificate for a domain.</description>
+                            <inventory_link>0</inventory_link>
+                            <applications>
+                                <application>
+                                    <name>SSL Certificate</name>
+                                </application>
+                            </applications>
+                            <valuemap/>
+                            <logtimefmt/>
+                            <application_prototypes/>
+                        </item_prototype>
+                    </item_prototypes>
+                    <trigger_prototypes>
+                        <trigger_prototype>
+                            <expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].count(#3,0)} = 3</expression>
+                            <recovery_mode>1</recovery_mode>
+                            <recovery_expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].min(#3)} &gt; 0</recovery_expression>
+                            <name>Retrieve SSL certificate info from {#DOMAIN} failing</name>
+                            <correlation_mode>0</correlation_mode>
+                            <correlation_tag/>
+                            <url/>
+                            <status>0</status>
+                            <priority>2</priority>
+                            <description/>
+                            <type>0</type>
+                            <manual_close>0</manual_close>
+                            <dependencies/>
+                            <tags/>
+                        </trigger_prototype>
+                        <trigger_prototype>
+                            <expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} &gt; 0 and &#13;
+{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &lt; 0d</expression>
+                            <recovery_mode>0</recovery_mode>
+                            <recovery_expression/>
+                            <name>SSL certificate of {#DOMAIN} has expired on {ITEM.LASTVALUE}</name>
+                            <correlation_mode>0</correlation_mode>
+                            <correlation_tag/>
+                            <url/>
+                            <status>0</status>
+                            <priority>3</priority>
+                            <description/>
+                            <type>0</type>
+                            <manual_close>0</manual_close>
+                            <dependencies/>
+                            <tags/>
+                        </trigger_prototype>
+                        <trigger_prototype>
+                            <expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &gt; 0d and &#13;
+{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &lt; 7d</expression>
+                            <recovery_mode>0</recovery_mode>
+                            <recovery_expression/>
+                            <name>SSL certificate of {#DOMAIN} is due to expire on {ITEM.LASTVALUE}</name>
+                            <correlation_mode>0</correlation_mode>
+                            <correlation_tag/>
+                            <url/>
+                            <status>0</status>
+                            <priority>3</priority>
+                            <description/>
+                            <type>0</type>
+                            <manual_close>0</manual_close>
+                            <dependencies/>
+                            <tags/>
+                        </trigger_prototype>
+                        <trigger_prototype>
+                            <expression>{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &gt; 7d and &#13;
+{SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].max(#3)} - {SSL_Certificates:ssl.cert.expirydate[{#DOMAIN}].now()} &lt; 31d</expression>
+                            <recovery_mode>0</recovery_mode>
+                            <recovery_expression/>
+                            <name>SSL certificate of {#DOMAIN} is due to expire on {ITEM.LASTVALUE}</name>
+                            <correlation_mode>0</correlation_mode>
+                            <correlation_tag/>
+                            <url/>
+                            <status>0</status>
+                            <priority>2</priority>
+                            <description/>
+                            <type>0</type>
+                            <manual_close>0</manual_close>
+                            <dependencies/>
+                            <tags/>
+                        </trigger_prototype>
+                    </trigger_prototypes>
+                    <graph_prototypes/>
+                    <host_prototypes/>
+                </discovery_rule>
+            </discovery_rules>
+            <httptests/>
+            <macros>
+                <macro>
+                    <macro>{$DOMAIN_GROUP}</macro>
+                    <value>NOTSET</value>
+                </macro>
+            </macros>
+            <templates/>
+            <screens/>
+        </template>
+    </templates>
+</zabbix_export>
diff --git a/zabbix-externalscripts/ssl/sslCertDomains.json b/zabbix-externalscripts/ssl/sslCertDomains.json
new file mode 100644
index 0000000..9266585
--- /dev/null
+++ b/zabbix-externalscripts/ssl/sslCertDomains.json
@@ -0,0 +1,12 @@
+{
+  "DomainGroup1": [
+    {"domain": "www.a.com"},
+    {"domain": "www.b.com"},
+    {"domain": "www.c.com"}
+  ],
+  "DomainGroup2": [
+    {"domain": "www.d.com"},
+    {"domain": "www.e.com"},
+    {"domain": "www.f.com"}
+  ]
+}
\ No newline at end of file
diff --git a/zabbix-externalscripts/sslCertExpiryCheck.sh b/zabbix-externalscripts/sslCertExpiryCheck.sh
new file mode 100644
index 0000000..2ff4a2c
--- /dev/null
+++ b/zabbix-externalscripts/sslCertExpiryCheck.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+#Author: Long Chen
+#Date: 25/01/2017
+#Description: A script to send SSL certificates expiry date to zabbix with zabbix sender
+#Requires: zabbix sender, openssl client, jq - https://stedolan.github.io/jq/
+#Set up cron job to run hourly, example setup below:
+#SHELL=/bin/bash
+#PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/lib/zabbix/externalscripts
+# SSL certificates monitoring, run hourly
+#0 * * * * sslCertExpiryCheck.sh DomainGroup1 ZabbixHost1 &>/dev/null
+#5 * * * * sslCertExpiryCheck.sh DomainGroup2 ZabbixHost2 &>/dev/null
+
+# Query domains in a group
+DOMAIN_GROUP=$1
+ZABBIX_HOST=$2
+SCRIPT_DIR="$( cd "$( dirname "$0" )" && pwd )"
+ALL_DOMAINS=$SCRIPT_DIR"/ssl/sslCertDomains.json"
+QUERY_DOMAINS=$(eval "cat $ALL_DOMAINS | jq -r '."$DOMAIN_GROUP"[] .domain' | xargs 2>/dev/null")
+
+get_SSL_Certs_Expirydate() {
+  for domain in $QUERY_DOMAINS; do
+  expiry_date=$(timeout 3 openssl s_client -host "$domain" -port 443 -servername "$domain" -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p')
+  if [ -n "$expiry_date" ]; then
+    expiry_date_unix=$(date '+%s' --date "$expiry_date")
+  else
+    expiry_date_unix=0
+  fi
+  echo $ZABBIX_HOST" ssl.cert.expirydate["$domain"] "$expiry_date_unix
+done
+}
+
+result=$(get_SSL_Certs_Expirydate | /usr/bin/zabbix_sender -c /etc/zabbix/zabbix_agentd.conf -i - 2>&1)
+response=$(echo "$result" | awk -F ';' '$1 ~ /^info/ && match($1,/[0-9].*$/) {sum+=substr($1,RSTART,RLENGTH)} END {print sum}')
+if [ -n "$response" ]; then
+  echo "$response"
+else
+  echo "$result"
\ No newline at end of file
diff --git a/zabbix-externalscripts/sslDomainsDiscovery.sh b/zabbix-externalscripts/sslDomainsDiscovery.sh
new file mode 100644
index 0000000..3524ed6
--- /dev/null
+++ b/zabbix-externalscripts/sslDomainsDiscovery.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+#Author: Long Chen
+#Date: 25/01/2017
+#Description: A script to get a list of domains in json format
+#Requires: jq - https://stedolan.github.io/jq/
+
+DOMAIN_GROUP=$1
+SCRIPT_DIR="$( cd "$( dirname "$0" )" && pwd )"
+ALL_DOMAINS=$SCRIPT_DIR"/ssl/sslCertDomains.json"
+QUERY_DOMAINS=$(eval "cat $ALL_DOMAINS | jq -r '."$DOMAIN_GROUP"[] .domain' | xargs 2>/dev/null")
+
+for domain in $QUERY_DOMAINS; do
+  domainlist="$domainlist,"'{"{#DOMAIN}":"'${domain# }'"}'
+done
+echo '{"data":['${domainlist#,}']}'
\ No newline at end of file