Reliable Insights

A blog on monitoring, scale and operational sanity

Get alerted before your SSL certificates expire

The most common way to learn about the expiry date of your website’s SSL certificate is after it has expired. The blackbox exporter combined with Prometheus can let you know well in advance, letting you renew your certificate before users complain.

To start with, download, compile and run the blackbox exporter:

git clone git@github.com:prometheus/blackbox_exporter.git
cd blackbox_exporter
make
./blackbox_exporter

If you visit http://localhost:9115/probe?target=https://example.com&module=http_2xx the blackbox exporter will probe https://example.com and report several metrics. One of them is probe_ssl_earliest_cert_expiry which is the time the  certificate chain will no longer be valid. This is automatically reported for any SSL endpoints.

The next step is to hook this in to Prometheus, and create an alert. We’ll usually want to probe multiple endpoints coming form service discovery with the same blackbox exporter, so we use relabelling to convert the target addresses to URL parameters:

wget https://github.com/prometheus/prometheus/releases/download/v1.4.1/prometheus-1.4.1.linux-amd64.tar.gz
tar -xzf prometheus-*.tar.gz
cd prometheus-*
cat << 'EOF' > prometheus.yml
rule_files:
  - ssl_expiry.rules
scrape_configs:
  - job_name: 'blackbox'
    metrics_path: /probe
    params:
      module: [http_2xx]  # Look for a HTTP 200 response.
    static_configs:
      - targets:
        - example.com  # Target to probe
    relabel_configs:
      - source_labels: [__address__]
        regex: (.*?)(:80)?
        target_label: __param_target
        replacement: https://${1}
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 127.0.0.1:9115  # Blackbox exporter.
EOF
cat << 'EOF' > ssl_expiry.rules
groups:
- name: ssl_expiry.rules
  rules:
  - alert: SSLCertExpiringSoon
    expr: probe_ssl_earliest_cert_expiry{job="blackbox"} - time() < 86400 * 30
    for: 10m
EOF
make
./prometheus

If you visit http://localhost:9090/alerts you'll see your new alert, ready to let you know you 30 days before your certs expire!

Brian BrazilGet alerted before your SSL certificates expire
Share this post

Related Posts