It's in regards to the "probe_ssl_earliest_cert_expiry" metric which uses the date of the earliest expiring certificate in the chain as its value. Its value at the moment is the 30th of May because the root certificate is the certificate which will expire the earliest in the certificate chain right now, even though the end-user certificate won't expire for the next couple of months and stay valid because of the cross signing certificates as you explained (thus causing the false-positives alerts). I was curious whether there is another solution to prevent false-positives but keep alerting active for the domains in question which have the expiring certificate as their root certificate, other than completely renewing the certificate.
On Wednesday, May 13, 2020 at 12:24:53 AM UTC+2, Matt Doughty wrote: > > If you have an up-to-date trust store, the cross signing certificates for > the newer root CAs should mean you don't have to do anything. If you don't > have an updated trust store, you have work to do. > > --Matt > > On Tue, May 12, 2020 at 5:26 PM Julian van den Berkmortel < > [email protected] <javascript:>> wrote: > >> I won't ask "why is this happening" because enough has been said about >> that, the reasoning behind it or what "probe_ssl_earliest_cert_expiry" >> does, does not or should do. >> >> I only have one question which is, what will happen after the expiry of >> the "Sectigo AddTrust External CA Root" certificate on the 30th of May. >> To be completely honest, my knowledge of certificates and everything >> around it is as much as it has to be to solve daily tasks and problems if >> they ever occur. >> I'd expect the certificate to have to be renewed so that it's signed by a >> root certificate other than the "Sectigo AddTrust External CA Root", but is >> this the only solution? >> I'm trying to reduce upcoming false positives by silencing some of the >> alerts beforehand but this doesn't feel like a practical "solution" and >> requires us to manually remind ourselves to re-issue the certificate in a >> year or something (some earlier than others). >> >> I've tried using the SSL Exporter but this gave me problems when I tried >> to determine what certificate was an end-user certificate and should alert >> upon, but that is a whole other story. >> >> I hope someone can clarify this a bit more! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-users/c86ad060-97da-4fc5-a1df-dae0bff078b9%40googlegroups.com >> >> <https://groups.google.com/d/msgid/prometheus-users/c86ad060-97da-4fc5-a1df-dae0bff078b9%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > --Matt > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/0969db94-5200-47fa-93eb-4732ef19641b%40googlegroups.com.
