BlackBoxExporterのprobe_ssl_earliest_cert_expiryというメトリクスが証明書の有効期限のメトリクスになっている。
下記設定はすべて、helmのvalues.yamlのサンプル。
BlackBoxExporterの設定。
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
config: modules: http_2xx: prober: http timeout: 5s http: valid_http_versions: ["http/1.1", "http/2.0"] follow_redirects: true preferred_ip_protocol: "ip4" http_post_2xx: prober: http timeout: 5s http: method: post headers: content-type: application/json body: '{}' tcp_connect: prober: tcp timeout: 5s icmp: prober: icmp timeout: 5s |
Prometheusの設定
|
1 2 3 4 5 6 7 8 9 10 |
extraScrapeConfigs: | - job_name: nextcloud metrics_path: /probe params: module: [http_2xx] static_configs: - targets: - https://nextcloud.vamdemic/login labels: env: development |
|
1 2 3 4 5 6 7 8 9 10 |
- name: ssl-expiry-rule rules: - alert: SSLCertExpiringSoon-global-vamdemic expr: probe_ssl_earliest_cert_expiry{job="nextcloud"} - time() < 86400 * 30 for: 30s labels: severity: critical annotations: summary: "SSL Certificate for {{ $labels.instance }} expires in {{ .Value | humanizeDuration }}" description: "SSL Certificate for {{ $labels.instance }} expires in {{ .Value | humanizeDuration }}" |
上記設定の場合だと、証明書有効期限が30日を切った時点でこのようなアラートメールが届く。
参考
https://enginaltay.medium.com/get-alerted-before-your-ssl-certificate-expire-62a3c30f7239