I've tried removing the expiring certificate from the trust store
("/etc/ca-certificates.conf" and "update-ca-certificates") and I thought it
yielded the wanted results but...
I checked one of the domains which before had the expiry date of May 30th
and this one worked, it gave back the proper date.
But then I checked another domain and that one was still giving back the
expiry date of May 30th, so after that I reverted my changes in
"/etc/ca-certificates.conf" and ran "update-ca-certificates" again
expecting the domain that now worked to fail again.
But, it didn't. So, right now I'm kinda confused why the domain keeps
working even though I added back the expiring root certificate to the trust
store...
On Wednesday, May 13, 2020 at 1:23:47 AM UTC+2, Matt Doughty wrote:
>
> Should solve problem with the added benefit that removing the old Root CA
> is probably a good test to do anyway.
>
> --Matt
>
> On Tue, May 12, 2020 at 6:40 PM Harald Koch <[email protected]
> <javascript:>> wrote:
>
>> On Tue, May 12, 2020, at 18:34, Julian van den Berkmortel wrote:
>>
>> It's in regards to the "probe_ssl_earliest_cert_expiry" metric which uses
>> the date of the earliest expiring certificate in the chain as its value.
>> Its value at the moment is the 30th of May because the root certificate
>> is the certificate which will expire the earliest in the certificate chain
>> right now, even though the end-user certificate won't expire for the next
>> couple of months and stay valid because of the cross signing certificates
>> as you explained (thus causing the false-positives alerts).
>> I was curious whether there is another solution to prevent
>> false-positives but keep alerting active for the domains in question which
>> have the expiring certificate as their root certificate, other than
>> completely renewing the certificate.
>>
>>
>> - make sure the newer (cross-signing) certs are in your trust store, so
>> that the blackbox exporter can find a valid chain to/through them.
>> - remove the expiring Root CA from your trust store.
>>
>> Problem solved?
>>
>> --
>> Harald
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Prometheus Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/prometheus-users/9e7d225d-a0a5-4250-859c-b0079905c14b%40www.fastmail.com
>>
>> <https://groups.google.com/d/msgid/prometheus-users/9e7d225d-a0a5-4250-859c-b0079905c14b%40www.fastmail.com?utm_medium=email&utm_source=footer>
>> .
>>
>
>
> --
> --Matt
>
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/0211270e-1ae8-4ab4-84fc-224c63e8e3e5%40googlegroups.com.
