A simpler approach might be passing the threshold to the OpenSSL utilities and letting them determine whether the certificate will be good after that many seconds. A command to check whether the certificate is good for seven days would be as follows:

$ echo | openssl s_client -connect www.google.com:443 2>/dev/null | openssl x509 -checkend 604800
Certificate will not expire

That looks simple enough. If the certificate expires in the given time, the message would say Certificate will expire. The great thing is that the exit code also differs based on the expiry status, so we could return 1 when the certificate is still good and 0 when it expires.

$ echo | openssl s_client -connect www.google.com:443 2>/dev/null | openssl x509 -checkend 604800 -noout && echo 1 || echo 0  

In the same directory as before, create a script, zbx_certificate_expires_in.sh, with the following contents:

#!/bin/bash
echo | openssl s_client -connect "$1":443 2>/dev/null | openssl x509 -checkend "$2" -noout && echo 1 || echo 0  

This time, in addition to the domain being replaced with $1, we also replaced the time period to check with a $2 placeholder. Make that file executable:

$ chmod 755 zbx_certificate_expires_in.sh  

And now, for a quick test, type the following:

$ ./zbx_certificate_expires_in.sh www.zabbix.com 604800
1 

It looks good. Now, on to creating the item—in the frontend:

1. Go to Configuration | Hosts, click on Items next to A test host, and click on Create item. Start by clicking on Show value mappings next to the Show value drop-down menu. In the resulting popup, click on the Create value map. Enter Certificate expiry status in the Name field, then click on the Add link in the Mappings section. Fill in the following, as shown in the following screenshot:

• • 0: Expires soon
  • 1: Does not expire yet

We're not specifying the time period here as that could be customized per item.

2. When done, click on the Add button at the bottom and close the popup. Refresh the item configuration form to get our new value map and fill in the following:

• • Name: Certificate expiry status for $1
  • Type: External check
  • Key: zbx_certificate_expires_in.sh[www.google.com,604800]
  • Show value: Certificate expiry status

When done, click on the Add button at the bottom. And again, check this item in the Latest data page.

It seems to work properly. It doesn't expire yet, so we're all good. One benefit over the previous approach could be that it's more obvious which certificates are going to expire soon when looking at a list.

It's important to remember that external checks could take quite a long time. With the default timeout being three or four seconds (we'll discuss the details in Chapter 20, Zabbix Maintenance), anything longer than a second or two is already too risky. Also, keep in mind that a server poller process is always busy while running the script; we can't offload external checks to an agent like we did with the user parameters being active items. It's suggested to use external checks only as a last resort when all other options to gather the information have failed. In general, external checks should be kept lightweight and fast. If a script is too slow, it'll time out and the item will become unsupported.