Skip to content

Commit

Permalink
Document difference between ssl_expiry metrics
Browse files Browse the repository at this point in the history
blackbox-exporter currently offers two metrics to
measure when TLS Certificates will expire.

The difference between them is very subtle, but
using `probe_ssl_earliest_cert_expiry`
for checking whether a certificate is due to
replacement can lead to false positive alerts.

This documents the difference between those two.

Generally `probe_ssl_last_chain_expiry_timestamp_seconds`
seems to be what most people would want to use.

Signed-off-by: Tobias Guggenmos <[email protected]>
  • Loading branch information
slrtbtfs committed Dec 6, 2024
1 parent 7e25c6f commit 82bb799
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions prober/prober.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ import (
type ProbeFn func(ctx context.Context, target string, config config.Module, registry *prometheus.Registry, logger *slog.Logger) bool

const (
helpSSLEarliestCertExpiry = "Returns last SSL chain expiry in unixtime"
helpSSLChainExpiryInTimeStamp = "Returns last SSL chain expiry in timestamp"
helpSSLEarliestCertExpiry = "Returns the earliest expiry of any peer certificate returned by the server as an unix timestamp. This can include certificates that are not validated by TLS clients. In rare server configurations this might return a time in the past, even for valid TLS certificate chains."
helpSSLChainExpiryInTimeStamp = "Returns the earliest expiry of any validated TLS certificate as an unix timestamp. This indicates the time when connections will start to fail, unless a certificate is renewed."
helpProbeTLSInfo = "Returns the TLS version used or NaN when unknown"
helpProbeTLSCipher = "Returns the TLS cipher negotiated during handshake"
)
Expand Down

0 comments on commit 82bb799

Please sign in to comment.