On Tue, May 12, 2020, at 18:34, Julian van den Berkmortel wrote: > It's in regards to the "probe_ssl_earliest_cert_expiry" metric which uses the > date of the earliest expiring certificate in the chain as its value. > Its value at the moment is the 30th of May because the root certificate is > the certificate which will expire the earliest in the certificate chain right > now, even though the end-user certificate won't expire for the next couple of > months and stay valid because of the cross signing certificates as you > explained (thus causing the false-positives alerts). > I was curious whether there is another solution to prevent false-positives > but keep alerting active for the domains in question which have the expiring > certificate as their root certificate, other than completely renewing the > certificate.
- make sure the newer (cross-signing) certs are in your trust store, so that the blackbox exporter can find a valid chain to/through them. - remove the expiring Root CA from your trust store. Problem solved? -- Harald -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/9e7d225d-a0a5-4250-859c-b0079905c14b%40www.fastmail.com.
