Another option is to remove the intermediate certificate from the chain you provide at your TLS endpoint. Blackbox exporter will then check with the new path as long as you have the cross signed CA in your keystore.
Clients that do not have the new cross signed CA in their keystore will fail then. But they will do so anyhow after expiry of the old root certificate in some days. So this is also a good setup for testing your clients keystores. Best regards, Sebastian Matt Doughty <[email protected]> schrieb am Mi., 13. Mai 2020, 01:23: > Should solve problem with the added benefit that removing the old Root CA > is probably a good test to do anyway. > > --Matt > > On Tue, May 12, 2020 at 6:40 PM Harald Koch <[email protected]> wrote: > >> On Tue, May 12, 2020, at 18:34, Julian van den Berkmortel wrote: >> >> It's in regards to the "probe_ssl_earliest_cert_expiry" metric which uses >> the date of the earliest expiring certificate in the chain as its value. >> Its value at the moment is the 30th of May because the root certificate >> is the certificate which will expire the earliest in the certificate chain >> right now, even though the end-user certificate won't expire for the next >> couple of months and stay valid because of the cross signing certificates >> as you explained (thus causing the false-positives alerts). >> I was curious whether there is another solution to prevent >> false-positives but keep alerting active for the domains in question which >> have the expiring certificate as their root certificate, other than >> completely renewing the certificate. >> >> >> - make sure the newer (cross-signing) certs are in your trust store, so >> that the blackbox exporter can find a valid chain to/through them. >> - remove the expiring Root CA from your trust store. >> >> Problem solved? >> >> -- >> Harald >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-users/9e7d225d-a0a5-4250-859c-b0079905c14b%40www.fastmail.com >> <https://groups.google.com/d/msgid/prometheus-users/9e7d225d-a0a5-4250-859c-b0079905c14b%40www.fastmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > --Matt > > -- > You received this message because you are subscribed to the Google Groups > "Prometheus Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/prometheus-users/CAGyBzczGirXVZs%2B8rKuV-yzVV%2BDYacYeXE5CRXbKAHunVbXJCA%40mail.gmail.com > <https://groups.google.com/d/msgid/prometheus-users/CAGyBzczGirXVZs%2B8rKuV-yzVV%2BDYacYeXE5CRXbKAHunVbXJCA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/CAOqmztgu-_yR6XTRREHiLe1%3DeJhm3OrQJjRTZT_L_m08wa%2B_uQ%40mail.gmail.com.
