Document difference between ssl_expiry metrics

blackbox-exporter currently offers two metrics to measure when TLS Certificates will expire. The difference between those is very subtle, but using `probe_ssl_earliest_cert_expiry` for checking whether a certificate is due to replacement can lead to false positive alerts. This documents the difference between those two. Generally `probe_ssl_last_chain_expiry_timestamp_seconds` seems to be what most people would want to use. Signed-off-by: Tobias Guggenmos <[email protected]>
prometheus · Dec 3, 2024 · 4084f63 · 4084f63
1 parent 0d25513
commit 4084f63
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/prober/prober.go b/prober/prober.go
@@ -25,8 +25,8 @@ import (
 type ProbeFn func(ctx context.Context, target string, config config.Module, registry *prometheus.Registry, logger log.Logger) bool
 
 const (
-	helpSSLEarliestCertExpiry     = "Returns last SSL chain expiry in unixtime"
-	helpSSLChainExpiryInTimeStamp = "Returns last SSL chain expiry in timestamp"
+	helpSSLEarliestCertExpiry     = "Returns the earliest expiry of any peer certificate returned by the server as an unix timestamp. This can include certificates that are not validated by TLS clients. In rare server configurations this might return a time in the past, even for valid TLS certificate chains."
+	helpSSLChainExpiryInTimeStamp = "Returns the earliest expiry of any validated TLS certificate as an unix timestamp. This indicates the time when connections will start to fail, unless a certificate is renewed."
 	helpProbeTLSInfo              = "Returns the TLS version used or NaN when unknown"
 )