Hi Amjad,
blackbox_exporter's probe_ssl_earliest_cert_expiry outputs exactly what
the name says -- the *earliest* cert expiry, i.e. when this certificate
will become invalid as seen from a user/browser/client validating this
cert. This is not necessarily identical to the value of the end of
validity of your single certificate.
To be more specific:
The certificate used by your web server would be valid until Dec 10
2020, as you said. This certificate is signed by an intermediate CA
which is valid until Jul 3rd 2024. This intermediate is signed ba a CA
which expires May 30 2020. See below for a crazy one-liner which
demonstrates this using openssl/awk.
blackbox_exporter outputs this as the value 1.590835718e+09. This is a
unix timestamp, represented in scientific notation. In "normal"
representation, this is 1590835718.0, which translates to May 30 2020 as
expected. :)
So, if you had an alert based on this metric, it would properly warn you
that your site would stop working for most users at the end of May 2020.
You also mentioned the value "5180010.404999971", however, I did not
find this anywhere in the output...? Maybe some typo / conversion error
somewhere?
Kind regards,
Christian
$ openssl s_client -servername cms-site-admin-live.tajawal.com -connect
cms-site-admin-live.tajawal.com:443 -showcerts </dev/null 2>/dev/null |
awk 'BEGIN { pipe="openssl x509 -noout -subject -dates" } /^-+BEGIN
CERT/,/^-+END CERT/ { print | pipe } /^-+END CERT/ { close(pipe);
printf("\n")}'
subject=OU = Domain Control Validated, CN = *.tajawal.com
notBefore=Dec 13 00:00:00 2017 GMT
notAfter=Dec 10 23:59:59 2020 GMT
subject=C = US, O = SSL.com, OU = www.ssl.com, CN = SSL.com DV CA
notBefore=Jul 4 00:00:00 2014 GMT
notAfter=Jul 3 23:59:59 2024 GMT
subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST
Network, CN = USERTrust RSA Certification Authority
notBefore=May 30 10:48:38 2000 GMT
notAfter=May 30 10:48:38 2020 GMT
$ TZ= LC_ALL=C date --date=@$(python -c 'print(1.590835718e+09)')
Sat May 30 10:48:38 UTC 2020
On 3/31/20 3:53 PM, Amjad Syed wrote:
>
> I checked the cert chain and nothing is expiring.
>
>
>
> Host operating system: output of |uname -a|
>
> Linux blackbox-deployment-fbd566f88-l6b7d
> 4.14.165-133.209.amzn2.x86_64 #1
> <https://github.com/prometheus/blackbox_exporter/pull/1> SMP Sun Feb 9
> 00:21:30 UTC 2020 x86_64 GNU/Linux
>
>
> blackbox_exporter version: output of |blackbox_exporter -version|
>
> |/ # /bin/blackbox_exporter --version blackbox_exporter, version 0.16.0
> (branch: HEAD, revision: 991f89846ae10db22a3933356a7d196642fcb9a9) build
> user: root@64f600555645 build date: 20191111-16:27:24 go version: go1.13.4 |
>
>
> What is the blackbox.yml module config.
>
> |modules: http_2xx_get: prober: http timeout: 5s http: method: GET |
>
>
> What is the prometheus.yml scrape config.
>
> |- job_name: 'blackbox-live' metrics_path: /probe file_sd_configs: -
> files: -
> '/etc/prometheus/blackbox/targets/blackbox-example/blackbox-live.yml'
> relabel_configs: - source_labels: [__address__] target_label:
> __param_target - source_labels: [module] target_label: __param_module -
> source_labels: [__param_target] target_label: instance - target_label:
> __address__ replacement: blackbox.company.io |
>
>
> What logging output did you get from adding |&debug=true| to the
> probe URL?
>
> |s=2020-03-31T11:59:12.475392992Z caller=main.go:304 module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Beginning probe" probe=http timeout_seconds=5
> ts=2020-03-31T11:59:12.475517252Z caller=http.go:318 module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Resolving target address" ip_protocol=ip6
> ts=2020-03-31T11:59:12.479932352Z caller=http.go:318 module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Resolved target address" ip=34.242.235.246
> ts=2020-03-31T11:59:12.479981655Z caller=client.go:250
> module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Making HTTP request" url=https://34.242.235.246/admin/
> host=cms-site-admin-live.company.com ts=2020-03-31T11:59:12.805876249Z
> caller=main.go:119 module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Received HTTP response" status_code=200
> ts=2020-03-31T11:59:12.805950809Z caller=main.go:119 module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Response timings for roundtrip" roundtrip=0
> start=2020-03-31T11:59:12.480053551Z
> dnsDone=2020-03-31T11:59:12.480053551Z
> connectDone=2020-03-31T11:59:12.481023509Z
> gotConn=2020-03-31T11:59:12.484239484Z
> responseStart=2020-03-31T11:59:12.805832117Z
> end=2020-03-31T11:59:12.805945783Z ts=2020-03-31T11:59:12.805998306Z
> caller=main.go:304 module=http_2xx_get
> target=https://cms-site-admin-live.company.com/admin/ level=info
> msg="Probe succeeded" duration_seconds=0.330550216 Metrics that would
> have been returned: # HELP probe_dns_lookup_time_seconds Returns the
> time taken for probe dns lookup in seconds # TYPE
> probe_dns_lookup_time_seconds gauge probe_dns_lookup_time_seconds
> 0.004423017 # HELP probe_duration_seconds Returns how long the probe
> took to complete in seconds # TYPE probe_duration_seconds gauge
> probe_duration_seconds 0.330550216 # HELP probe_failed_due_to_regex
> Indicates if probe failed due to regex # TYPE probe_failed_due_to_regex
> gauge probe_failed_due_to_regex 0 # HELP probe_http_content_length
> Length of http content response # TYPE probe_http_content_length gauge
> probe_http_content_length -1 # HELP probe_http_duration_seconds Duration
> of http request by phase, summed over all redirects # TYPE
> probe_http_duration_seconds gauge
> probe_http_duration_seconds{phase="connect"} 0.000969967
> probe_http_duration_seconds{phase="processing"} 0.321592628
> probe_http_duration_seconds{phase="resolve"} 0.004423017
> probe_http_duration_seconds{phase="tls"} 0.004185941
> probe_http_duration_seconds{phase="transfer"} 0.000113663 # HELP
> probe_http_redirects The number of redirects # TYPE probe_http_redirects
> gauge probe_http_redirects 0 # HELP probe_http_ssl Indicates if SSL was
> used for the final redirect # TYPE probe_http_ssl gauge probe_http_ssl 1
> # HELP probe_http_status_code Response HTTP status code # TYPE
> probe_http_status_code gauge probe_http_status_code 200 # HELP
> probe_http_uncompressed_body_length Length of uncompressed response body
> # TYPE probe_http_uncompressed_body_length gauge
> probe_http_uncompressed_body_length 6796 # HELP probe_http_version
> Returns the version of HTTP of the probe response # TYPE
> probe_http_version gauge probe_http_version 1.1 # HELP probe_ip_protocol
> Specifies whether probe ip protocol is IP4 or IP6 # TYPE
> probe_ip_protocol gauge probe_ip_protocol 4 # HELP
> probe_ssl_earliest_cert_expiry Returns earliest SSL cert expiry in
> unixtime # TYPE probe_ssl_earliest_cert_expiry gauge
> probe_ssl_earliest_cert_expiry 1.590835718e+09 # HELP probe_success
> Displays whether or not the probe was a success # TYPE probe_success
> gauge probe_success 1 # HELP probe_tls_version_info Contains the TLS
> version used # TYPE probe_tls_version_info gauge
> probe_tls_version_info{version="TLS 1.2"} 1 Module configuration:
> prober: http timeout: 5s http: ip_protocol_fallback: true method: GET
> tcp: ip_protocol_fallback: true icmp: ip_protocol_fallback: true dns:
> ip_protocol_fallback: true |
>
>
> What did you do that produced an error?
>
>
> What did you expect to see?
>
> * expire date: Dec 10 23:59:59 2020 GMT
>
>
> What did you see instead?
>
> 5180010.404999971
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/54481f78-d130-5781-5f4d-7a42371644f2%40hoffmann-christian.info.
