Skip to content

Document difference between TLS Cert expiry metrics #1330

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Document difference between TLS Cert expiry metrics #1330

wants to merge 3 commits into from

Conversation

@slrtbtfs
Copy link

@slrtbtfs slrtbtfs commented Dec 3, 2024

blackbox-exporter currently offers two metrics to
measure when TLS Certificates will expire.

The difference between those is very subtle, but
using probe_ssl_earliest_cert_expiry
for checking whether a certificate is due to
replacement can lead to false positive alerts.

This documents the difference between those two.

Generally, probe_ssl_last_chain_expiry_timestamp_seconds
seems to be what most people would want to use.

@slrtbtfs slrtbtfs force-pushed the document_ssl_expiry branch from 4084f63 to fece8bc Compare December 3, 2024 12:45
@slrtbtfs
Copy link
Author

slrtbtfs commented Dec 3, 2024

Hm, the CircleCI Tests seem to be failing for reasons unrelated to this PR:

level=error msg="Resolution with IP protocol failed" target=ipv6.google.com ip_protocol=ip4 err="lookup ipv6.google.com on 10.89.4.1:53: no such host"

Looks like the CI Test environment is having some network Issues.

Locally, the tests run fine.

@slrtbtfs slrtbtfs force-pushed the document_ssl_expiry branch from fece8bc to 82bb799 Compare December 6, 2024 11:35
@github-actions github-actions bot added the stale label Feb 13, 2025
@slrtbtfs slrtbtfs force-pushed the document_ssl_expiry branch from 82bb799 to 3443a24 Compare February 25, 2025 08:54
@slrtbtfs
Copy link
Author

slrtbtfs commented Feb 25, 2025

CI is passing now after a rebase, so this PR is ready.

@github-actions github-actions bot removed the stale label Apr 14, 2025
@github-actions github-actions bot added the stale label Jul 1, 2025
electron0zero
electron0zero reviewed Oct 30, 2025
View reviewed changes
@github-actions github-actions bot removed the stale label Nov 1, 2025
@slrtbtfs slrtbtfs force-pushed the document_ssl_expiry branch from 3443a24 to c30ef31 Compare November 28, 2025 11:40
@slrtbtfs
Document difference between ssl_expiry metrics
5b860a0 
blackbox-exporter currently offers two metrics to
measure when TLS Certificates will expire.

The difference between them is very subtle, but
using `probe_ssl_earliest_cert_expiry`
for checking whether a certificate is due to
replacement can lead to false positive alerts.

This documents the difference between those two.

Generally `probe_ssl_last_chain_expiry_timestamp_seconds`
seems to be what most people would want to use.

Signed-off-by: Tobias Guggenmos <guggenmos@dfn-cert.de>
@slrtbtfs
Shorten descriptions
f314369 
Signed-off-by: Tobias Guggenmos <guggenmos@dfn-cert.de>
@slrtbtfs
shorten description further
1d133dc 
Signed-off-by: Tobias Guggenmos <guggenmos@dfn-cert.de>
@slrtbtfs slrtbtfs force-pushed the document_ssl_expiry branch from 46fbe12 to 1d133dc Compare November 28, 2025 11:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@electron0zero electron0zero electron0zero left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@slrtbtfs @electron0zero