[ZBXNEXT-7465] Support STARTTLS for agent2-based certificate monitoring Created: 2022 Feb 02  Updated: 2025 Mar 13

Status: Need info
Project: ZABBIX FEATURE REQUESTS
Component/s: Agent2 plugin (G)
Affects Version/s: 5.4.10, 6.0.0beta3, 6.0.0rc1
Fix Version/s: None

Type: Change Request Priority: Trivial
Reporter: Christian Anton Assignee: Eriks Sneiders
Resolution: Unresolved Votes: 9
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

any

Team: Team INT

 Description   

The new web.certificate.get item key supports a lot of options to gather information from certificates, such as SNI etc.

BUT: it does not support monitoring certificates through a connection that requires STARTLS to initiate the encrypted connection, such as some email servers which listen only on port 25 (or an unencrypted submission port) and require to initiate the certificate handshake from client side with the STARTTLS command.

Nagios' monitoring_plugins plugin "check_ssl_certificate" offers such an option:

-a <add> add the text to the openssl line, used for checking the smtp ssl certificate with starttls ("-a '-starttls smtp'")

This way, you can monitor the certificate from a STARTTLS enabled SMTP-server like this, for example:

/opt/plugins/custom/check_ssl_certificate -H 1.2.3.4 -p 25 -a "-starttls smtp" -v -w 90 -c 30 Result code: WARNING check_ssl_certificates: WARNING - only 76 day(s) left for *.my-company.com[1.2.3.4].

Would be very useful to have this functionality also in Zabbix.

 Comments   
Comment by Christian Anton [ 2022 Feb 03 ]

The argument of the nagios plugin mentioned above is by the way just a wrapper of the corresponding openssl s_client command argument, as shown here:

 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "lmtp", "pop3", "imap", "ftp" and "xmpp"
                 are supported.

 

So, really a "low hanging fruit".

 

Comment by user185953 [ 2023 Jun 19 ]

Yes, I am also surprised that native certificate monitoring is so limited, especially if it is "low hanging fruit" like you say.

It would be awesome if I could monitor my SMTP, PostgreSQL, XMPP and NNTP server  certificates out of the box.

 

PS: Anton, what is your openssl version? Even "OpenSSL 1.0.2k", offers more starttls options than that:

 -starttls prot - use the STARTTLS command before starting TLS
                 for those protocols that support it, where
                 'prot' defines which one to assume.  Currently,
                 only "smtp", "pop3", "imap", "ftp", "xmpp",
                 "xmpp-server", "irc", "postgres", "lmtp", "nntp",
                 "sieve" and "ldap" are supported.
Comment by user185953 [ 2023 Oct 13 ]

Any suggestions how new item should look?

 

I think  tls.certificate.get is good name, but most compatible is keeping web.certificate.get and putting protocol before url like "protocol://server.address":

If "protocol" is STARTTLS protocol supported in openssl, "protocol://server.address" gives TLS check with that STARTTLS protocol.

If "protocol" is supported starttls protocol with "s" appended - like "smtps" or "ldaps" - then "protocols://server.address" gives direct TLS check.

For backwards compatibility also "server.address", "tls://server.address", "ssl://server.address" and "https://server.address" gives direct TLS check like before.

For more backwards compatibility also maybe make "http://server.address" give direct TLS check, despite it is wrong because no STARTTLS support in http?

 

Comment by user185953 [ 2025 Mar 13 ]

Awesome to see activity on this one. What info is needed?

Generated at Wed Apr 30 07:04:37 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.