获取证书过期时间脚本:
/etc/zabbix/scripts/check-cert-expire.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
#!/bin/bash host=$1 port=$2 end_date=`/usr/bin/openssl s_client -servername $host -host $host -port $port -showcerts </dev/null 2>/dev/null | sed -n '/BEGIN CERTIFICATE/,/END CERT/p' | /usr/bin/openssl x509 -text 2>/dev/null | sed -n 's/ *Not After : *//p'` # openssl 检验和验证SSL证书。 # -servername $host 因一台主机存在多个证书,利用SNI特性检查 # </dev/null 定向标准输入,防止交互式程序。从/dev/null 读时,直接读出0 。 # sed -n 和p 一起使用,仅显示匹配到的部分。 //,// 区间匹配。 # openssl x509 -text 解码证书信息,包含证书的有效期。 if [ -n "$end_date" ] then end_date_seconds=`date '+%s' --date "$end_date"` now_seconds=`date '+%s'` echo "($end_date_seconds-$now_seconds)/24/3600" | bc fi |
域名自动发现脚本:
/etc/zabbix/scripts/sshcert_discovery.py
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/usr/bin/env python #coding:utf-8 import os import sys import json #这个函数主要是构造出一个特定格式的字典,用于zabbix def ssl_cert_discovery(): web_list=[] web_dict={"data":None} with open("/etc/zabbix/scripts/ssl_cert_list","r") as f: for sslcert in f: dict={} dict["{#DOMAINNAME}"]=sslcert.strip().split()[0] dict["{#PORT}"]=sslcert.strip().split()[1] web_list.append(dict) web_dict["data"]=web_list jsonStr = json.dumps(web_dict,indent=4) return jsonStr if __name__ == "__main__": print ssl_cert_discovery() |
域名列表:
|
1 2 3 |
/etc/zabbix/scripts/ssl_cert_list: www.baidu.com 443 www.qq.com 443 |
zabbix配置:
|
1 2 3 |
/etc/zabbix/zabbix_agentd.conf.d/userparameter_sslcert.conf: UserParameter=sslcert_discovery,/usr/bin/python /etc/zabbix/scripts/sshcert_discovery.py UserParameter=sslcert.info[*],/bin/bash /etc/zabbix/scripts/check-cert-expire.sh $1 $2 |
在zabbix中添加模板:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
<?xml version="1.0" encoding="UTF-8"?> <zabbix_export> <version>3.4</version> <date>2020-09-28T02:14:15Z</date> <groups> <group> <name>https证书监控</name> </group> </groups> <templates> <template> <template>Template_ssl_cert_Information</template> <name>Template_ssl_cert_Information</name> <description/> <groups> <group> <name>https证书监控</name> </group> </groups> <applications/> <items/> <discovery_rules> <discovery_rule> <name>ssl_cert_information</name> <type>0</type> <snmp_community/> <snmp_oid/> <key>sslcert_discovery</key> <delay>10800</delay> <status>0</status> <allowed_hosts/> <snmpv3_contextname/> <snmpv3_securityname/> <snmpv3_securitylevel>0</snmpv3_securitylevel> <snmpv3_authprotocol>0</snmpv3_authprotocol> <snmpv3_authpassphrase/> <snmpv3_privprotocol>0</snmpv3_privprotocol> <snmpv3_privpassphrase/> <params/> <ipmi_sensor/> <authtype>0</authtype> <username/> <password/> <publickey/> <privatekey/> <port/> <filter> <evaltype>0</evaltype> <formula/> <conditions/> </filter> <lifetime>30d</lifetime> <description/> <item_prototypes> <item_prototype> <name>sslinfo[{#DOMAINNAME}]</name> <type>0</type> <snmp_community/> <snmp_oid/> <key>sslcert.info[{#DOMAINNAME},{#PORT}]</key> <delay>10800</delay> <history>90d</history> <trends>365d</trends> <status>0</status> <value_type>3</value_type> <allowed_hosts/> <units>day</units> <snmpv3_contextname/> <snmpv3_securityname/> <snmpv3_securitylevel>0</snmpv3_securitylevel> <snmpv3_authprotocol>0</snmpv3_authprotocol> <snmpv3_authpassphrase/> <snmpv3_privprotocol>0</snmpv3_privprotocol> <snmpv3_privpassphrase/> <params/> <ipmi_sensor/> <authtype>0</authtype> <username/> <password/> <publickey/> <privatekey/> <port/> <description/> <inventory_link>0</inventory_link> <applications/> <valuemap/> <logtimefmt/> <preprocessing> <step> <type>1</type> <params>1</params> </step> </preprocessing> <jmx_endpoint/> <application_prototypes/> <master_item_prototype/> </item_prototype> </item_prototypes> <trigger_prototypes> <trigger_prototype> <expression>{Template_ssl_cert_Information:sslcert.info[{#DOMAINNAME},{#PORT}].last()}<30</expression> <recovery_mode>0</recovery_mode> <recovery_expression/> <name>{#DOMAINNAME} https证书30天后到期请及时更换</name> <correlation_mode>0</correlation_mode> <correlation_tag/> <url/> <status>0</status> <priority>4</priority> <description/> <type>0</type> <manual_close>0</manual_close> <dependencies/> <tags/> </trigger_prototype> </trigger_prototypes> <graph_prototypes> <graph_prototype> <name>sslinfo[{#DOMAINNAME}]</name> <width>900</width> <height>200</height> <yaxismin>0.0000</yaxismin> <yaxismax>100.0000</yaxismax> <show_work_period>1</show_work_period> <show_triggers>1</show_triggers> <type>0</type> <show_legend>1</show_legend> <show_3d>0</show_3d> <percent_left>0.0000</percent_left> <percent_right>0.0000</percent_right> <ymin_type_1>0</ymin_type_1> <ymax_type_1>0</ymax_type_1> <ymin_item_1>0</ymin_item_1> <ymax_item_1>0</ymax_item_1> <graph_items> <graph_item> <sortorder>0</sortorder> <drawtype>0</drawtype> <color>1A7C11</color> <yaxisside>0</yaxisside> <calc_fnc>2</calc_fnc> <type>0</type> <item> <host>Template_ssl_cert_Information</host> <key>sslcert.info[{#DOMAINNAME},{#PORT}]</key> </item> </graph_item> </graph_items> </graph_prototype> </graph_prototypes> <host_prototypes/> <jmx_endpoint/> </discovery_rule> </discovery_rules> <httptests/> <macros/> <templates/> <screens/> </template> </templates> </zabbix_export> |