Get alerted before your SSL certificate expire
Imagine your organizations SSL certificate is expired and your customers started complain of your services are insecure.
Don’t worry… thanks to blackbox exporter combined with prometheus and alertmanager, your IT team can get alerted months ago. In this way, they can renew SSL certificate before your website become insecure.
blackbox exporter is an official prometheus exporter that capable of probing endpoints over HTTP/S, TCP, ICMP and DNS. It also exposes the expiration date of your ssl certificate.
I assume you already have prometheus, alertmanager and blackbox exporter installed on your system.
To start with, configure blackbox exporter with http probe module. Default config path of blackbox exporter is under /config… so you can edit and put your configuration file into /config/blackbox.yaml
Now navigate to prometheus side. Prometheus is pull based time series monitoring database. Capable of scraping hundreds of endpoints/metrics at the same time. It also has built-in service discovery feature that can dynamically discover your monitoring endpoints.
Prometheus is a Cloud Native Computing Foundation graduated project.
Configure prometheus.yaml file to scrape blackbox exporter as a job and its metrics.
Now prometheus is able to scrape the metrics that blackbox exporter exposes. It includes many useful metrics such as “probe_success”, “probe_http_duration_seconds” etc.
but in this post we’ll look at the metric named “probe_ssl_earliest_cert_expiry”
Next we need to write the rule named ssl-expiry.yaml to evaluate metric. We want to get alerted 30 days before our SSL certs expire.
To accomplish this; write prometheus alert rule in the following
In our ssl-expiry.yaml rule file, watch out the severity: “warning” label. We configured alertmanager the way send email if any rule triggered and it’s severity is equal to warning. You can learn more by navigating the alertmanager documentation page.
After that, to apply new rule file to prometheus, you don’t have to restart prometheus at all. Just reload the prometheus daemon by running the
“kill -HUP 1” command.
Congratulations! Now you are monitoring your websites ssl expiration date!
In the following image, we are able to see the cert expiration date in epoch timestamp format.
Oh! Received an email. SSL cert is expiring in 64 days!
BONUS
In last part, I want to beautify the metrics that we have by visualizing via Grafana :)
Grafana is an open-source visualizing tool that support countless of data sources, dashboards, panels and more.
I prepared fancy dashboard that we can watch websites metrics including SSL information :)
That’s it! It’s wonderful to watch your web endpoints metrics including SSL expire information :)
Thank you for reading. ..
I wish you all healthy days.
