A comprehensive monitoring solution for Let's Encrypt SSL/TLS certificates managed by certbot, with automatic discovery and multi-level alerting.
- β Automatic Discovery - Finds all certbot-managed certificates
- β Expiry Monitoring - Tracks days until certificate expiration
- β Multi-Level Alerts - INFO (30d), WARNING (14d), HIGH (7d)
- β Certificate Details - Monitors domains, serial numbers, key types
- β Historical Tracking - 90 days history, 365 days trends
- β Low Overhead - Minimal performance impact
- β Easy Setup - Simple installation with validation script
# Run the automated installer
sudo bash quick_install.shThe installer will:
- Detect your Zabbix agent version (Agent or Agent 2)
- Create
/etc/zabbix/scripts/directory - Install all files to the correct locations
- Configure sudo access
- Restart the agent
- Run validation tests
# Create scripts directory
sudo mkdir -p /etc/zabbix/scripts
# Copy script and config
sudo cp cert_monitor.sh /etc/zabbix/scripts/
sudo chmod +x /etc/zabbix/scripts/cert_monitor.sh
# For Zabbix Agent 2:
sudo cp letsencrypt.conf /etc/zabbix/zabbix_agent2.d/
# For Zabbix Agent (legacy):
sudo cp letsencrypt.conf /etc/zabbix/zabbix_agentd.d/
# Configure sudo access
echo "zabbix ALL=(ALL) NOPASSWD: /usr/bin/certbot, /etc/zabbix/scripts/cert_monitor.sh" | \
sudo tee /etc/sudoers.d/zabbix-letsencrypt
# Restart agent
sudo systemctl restart zabbix-agent2 # or zabbix-agentsudo bash validate_setup.sh- Open Zabbix web interface
- Go to Data collection β Templates
- Click Import
- Upload
zbx_letsencrypt_template.yaml - Click Import
- Assign template to your hosts with certbot
| File | Size | Purpose |
|---|---|---|
| cert_monitor.sh | 3.8 KB | Main monitoring script for discovery and metrics |
| letsencrypt.conf | 2.9 KB | Zabbix Agent configuration file |
| zbx_letsencrypt_template.yaml | 7.5 KB | Zabbix 7.4 template (YAML format) |
| README.md | 10 KB | This file - overview and quick start |
| quick_install.sh | 5.2 KB | Automated installation script |
| validate_setup.sh | 7.7 KB | Validation script to test installation |
For each discovered certificate:
- Days until expiry - Integer value with trend tracking
- Expiry date - Full timestamp of expiration
- Domains - List of all domains covered
- Serial number - Certificate serial number
- Key type - RSA or ECDSA key type
| Alert | Severity | Threshold | Action |
|---|---|---|---|
| Info | π΅ Blue | < 30 days | Informational only |
| Warning | π‘ Yellow | < 14 days | Review renewal status |
| High | π΄ Red | < 7 days | Immediate action required |
- Zabbix Agent: Version 5.0+ (Agent or Agent 2)
- Certbot: Any version with
certbot certificatescommand - OS: Linux (Ubuntu, Debian, RHEL, AlmaLinux)
- Sudo: Access for zabbix user to run certbot
- Python: 3.x for JSON validation (optional)
# Test discovery (Agent 2)
sudo -u zabbix zabbix_agent2 -t letsencrypt.discovery
# Test discovery (Agent)
sudo -u zabbix zabbix_agentd -t letsencrypt.discovery
# Test specific certificate (replace CERTNAME)
sudo -u zabbix zabbix_agent2 -t "letsencrypt.cert.expiry_days[CERTNAME]"
# or
sudo -u zabbix zabbix_agentd -t "letsencrypt.cert.expiry_days[CERTNAME]"# Test from server
zabbix_get -s <HOST_IP> -k letsencrypt.discovery
zabbix_get -s <HOST_IP> -k "letsencrypt.cert.expiry_days[CERTNAME]"βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Zabbix Server β
β - Stores metrics and history β
β - Triggers alerts based on thresholds β
β - Provides graphs and dashboards β
βββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββ
β
β Polls every hour
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Monitored Host β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Zabbix Agent / Agent 2 β β
β β - Receives key requests β β
β β - Executes UserParameter commands β β
β ββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ β
β β β
β β Calls via sudo β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β /etc/zabbix/scripts/cert_monitor.sh β β
β β - Discovery: Returns JSON of all certs β β
β β - Monitor: Returns all cert metrics β β
β ββββββββββββββββ¬ββββββββββββββββββββββββββββββββββ β
β β β
β β Executes β
β βΌ β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Certbot β β
β β - Manages Let's Encrypt certificates β β
β β - Provides certificate information β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Edit trigger prototypes in the template:
- Configuration β Templates
- Select template
- Discovery rules β Trigger prototypes
- Modify expressions (e.g., change
<7to<3)
Edit discovery rule interval:
- Configuration β Templates
- Select template
- Discovery rules β Edit
- Change update interval (default: 1h)
Add new UserParameters to letsencrypt.conf:
# Example: Monitor certificate file modification time
UserParameter=letsencrypt.cert.modified[*],stat -c %Y /etc/letsencrypt/live/$1/cert.pemDiscovery returns no data
- Check:
sudo -u zabbix sudo certbot certificates - Verify sudo permissions in
/etc/sudoers.d/zabbix-letsencrypt
Timeout errors
- Increase
Timeout=in/etc/zabbix/zabbix_agent2.conf(orzabbix_agentd.conf) to 10 - Restart agent:
sudo systemctl restart zabbix-agent2(orzabbix-agent)
Items show "Not supported"
- Check agent logs:
tail -f /var/log/zabbix/zabbix_agent2.log(orzabbix_agentd.log) - Test manually:
sudo -u zabbix zabbix_agent2 -t letsencrypt.discovery(orzabbix_agentd)
# Check agent status
sudo systemctl status zabbix-agent2 # or zabbix-agent
# View agent logs
sudo tail -100 /var/log/zabbix/zabbix_agent2.log # or zabbix_agentd.log
# Test script directly
sudo -u zabbix /etc/zabbix/scripts/cert_monitor.sh discovery
# Verify JSON output
sudo -u zabbix /etc/zabbix/scripts/cert_monitor.sh discovery | python3 -m json.tool
# Check certbot
sudo certbot certificates- Regular Testing: Run
validate_setup.shafter system updates - Monitor Renewals: Check certbot timer status weekly
- Review Alerts: Investigate any certificate <14 days from expiry
- Historical Analysis: Use trend graphs to identify renewal patterns
- Documentation: Keep track of certificate-to-domain mappings
- Discovery: Runs once per hour (configurable)
- Item Updates: Every hour (configurable)
- Certbot Execution Time: 1-2 seconds typically
- CPU Impact: Negligible (<0.1% during checks)
- Memory: <10MB for script execution
- Network: Zero (all local checks)
- β Read-only operations only
- β Sudo limited to specific commands
- β No passwords in configuration
- β No network exposure
- β Standard file permissions
| Component | Versions |
|---|---|
| Zabbix Agent | 5.0, 6.0, 6.4, 7.0, 7.4+ |
| Zabbix Server | 5.0, 6.0, 6.4, 7.0, 7.4+ |
| Certbot | All versions |
| Ubuntu | 20.04, 22.04, 24.04 |
| Debian | 10, 11, 12 |
| RHEL/AlmaLinux | 8, 9 |
Improvements welcome! Areas for enhancement:
- Support for other ACME clients (acme.sh, etc.)
- Integration with external certificate monitoring
- Additional certificate properties
- Multi-language support
This template and associated scripts are provided as-is for use with Zabbix monitoring.
For issues:
- Run
validate_setup.shto diagnose problems - Check
SETUP_GUIDE.mdfor detailed troubleshooting - Review Zabbix agent logs
- Verify certbot functionality independently
- Version: 1.0
- Date: 2025-11-13
- Author: Field Museum IT Infrastructure
- Zabbix Version: 6.0+
Built for enterprise SSL/TLS certificate lifecycle management with integration into existing Zabbix infrastructure.