Website Certificate By Zabbix Agent 2 Download
Joseph Middlebrook
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returnsJSON with certificate attributes.
For Zabbix version: 6.2 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returnsJSON with certificate attributes.
For Zabbix version: 5.4 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returnsJSON with certificate attributes.
For Zabbix version: 5.0 and higher
The template to monitor TLS/SSL certificate on the website by Zabbix agent 2 that works without any external scripts.Zabbix agent 2 with the WebCertificate plugin requests certificate using the web.certificate.get key and returnsJSON with certificate attributes.
web.certificate.get was already a real enrichment, but still the handling of hosts which can't install/use a Zabbix agent is very difficult. The official recommendation at the moment is simply to use any remote Zabbix agent and monitor the remote host's certificate through it. However, this is very unattractive and impractical for several reasons.
For example, if you let any remote agent do it, items and triggers are logically only within the remote host. If you have customers who can only see their own hosts because of their permissions, they will not have access to the alerts. Of course, you can create empty dummy hosts with only certificate items to get around this a bit better, but I find this not clean. I also find this solution a bit unfortunate, because then not all items of a host are assigned to the same host object.
Hi. I'm new to zabbix (set up a new machine and zabbix 6.0 from scratch) and created a new host with "Website certificate by Zabbix agent 2" template and entered 127.0.0.1 as "Agent" interface (local zabbix agent).
For outgoing connections (such as server-to-agent or proxy-to-server), one method may be used (no encryption, PSK or certificate-based). For incoming connections, multiple methods may be allowed. This way, an agent could work with encryption by default and then turn off encryption with zabbix_get for debugging.
In this article, we will try out encryption with the Zabbix server and zabbix_sender first, then move on to encrypting agent traffic using both PSK and certificate-based encryption. If you have installed from the packages, your server most likely already supports encryption. Verify this by looking at the server and agent startup messages:
Now, we move on to making the passive items on our test host using the certificates we just generated. We must provide the certificates to the Zabbix agent. In the directory where the Zabbix agent configuration file is located, create a new directory called zabbix_agent_certs. Restrict access to it like this:
Going back to our scenario where we slowly rolled out certificate-based configuration to our agents and added it to the server later, we can now disable unencrypted connections on the agent side. Change this line in zabbix_agentd.conf:
We used PSK and certificate-based encryption with zabbix_sender and passive agent, but the same principles apply for active agents and zabbix_get. As an exercise, try to get the active agent items working with encryption too.
Encryption is not currently supported for authentication purposes. That is, we can not omit active agent hostnames and figure out which host it is based on the certificate alone. Similarly, we can not allow only encrypted connections for active agent auto-registration.
I am writing this post and for others as I am installing Zabbix-server, zabbix-agent with postgresql with letsencrypt if anyone can help out wherever I am wrong or needs improvement please let me know. This post will help others as well who are struggling.
Zabbixserver+ zabbixweb+ postgresql+letsencrypt
When using this module, you can monitor your whole environment with zabbix. It can install the various zabbix components like the server and agent, but you will also be able to install specific "userparameter" file which zabbix can use for monitoring.
With the 0.4.0 release, you can - when you have configured exported resources - configure agents and proxies in the webinterface. So when you add an zabbix::agent to an host, it first install the agent onto the host. It will send some data to the puppetdb and when puppet runs on the zabbix-server it will create this new host via the zabbix-api.
For the record, I heavily borrowed this idea from -blog-en/15-ssl-certificate-expiration-monitoring-with-zabbix.html, keeping the vast majority of his technical operation, and primarily changed how Zabbix is executing the check.
Hello all,
I understand that for Zabbix's SSL Verify Peer authentication, it will check to verify the SSL cert of a website, but how do I upload the website's certificate to Zabbix's default system certificate authority location? The point of this is to verify the certificate and create a trigger that will generate an alert if the SSL is misconfigured and results in a "Warning: your connection is not secure" page pops up. Please advise.
What do you think of a website that displays SSL/TLS certificate errors when you visit it? Most people abandon it in disappointment. A certain amount of trust and respect for the service is lost. After investing a lot of effort and time in getting users to visit your site, and the user finds the site down or shows a warning, it will result in having dissatisfied users.
As we worked on improving the SSL certificate monitoring functionality in Sematext Synthetics, our synthetic monitoring solution, we learned a lot about how browsers and other clients handle SSL certificates and the errors caused by invalid certificates. So in this post, I will share a list of the most common SSL certificate errors that can cause the browser to block your website and tips on how to prevent or fix them. I will also show how to use Sematext Synthetics to monitor the SSL certificates of your website.
Whenever you visit a website whose URL starts with HTTPS, it means the server has SSL enabled. Before the web browser fetches the data from the server, it fetches the SSL certificates to verify the identity of the server.
An SSL certificate error occurs when the browser cannot verify the SSL certificates returned by the server. When the error happens, the browser blocks the website and displays warning messages telling the user that the website cannot be trusted and that their data is not secure.
When the browser connects to your secure website, the webserver returns a list of SSL certificates to prove its identity. The browser performs various checks on these SSL certificates. Only when all the checks pass the browser will proceed to show the website to the user.
This error indicates that the hostname of the website is missing from the certificate. To prevent man-in-the-middle attacks, the browser checks if it is talking to the correct server. The browser checks the hostname of the website against the list of hostnames present in the leaf certificate. If there is no match, then the client will assume it is talking to the wrong server, will reject the certificate, and block the connection. The hostname details are present in commonName and subjectAltName (SAN) fields of the leaf certificate.
The certificate authority will revoke certificates that are compromised before their expiry. The Certificate Authority maintains a list of revoked certificates in the Certificate Revocation List (CRL). While loading the website, the browser checks if any of the certificates in the chain is present in CRL. If any of the certificates in your chain is present in CRL, the browser will reject your certificates. Each browser has a different mechanism to verify the revocation status of the certificates.
The strength of the hashing function used to sign the certificate plays an important role in the strength of the certificate security. Some of the older certificates rely on the SHA-1 hashing function, which is now considered insecure. Modern browsers block websites with leaf and intermediate certificates that have the SHA-1 hashing signature.
We learned about all these SSL certificate errors while adding SSL certificate monitoring functionality to Sematext Synthetics, our synthetic monitoring solution that measures the functionality, availability, and performance of your APIs and websites. If you want to see how it compares to other similar services available on the market, check out our SSL monitoring tools comparison.
Would be interesting.
Background for thinking about zabbix is following:
There is for instance no way to query IA values on distributed pdp environments (pdp broker using publisher and subscriber). You only see connections on the cli using "pdp b s"
So how to monitor this automatically if not using an agent?