Document difference between TLS Cert expiry metrics #1330
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
slrtbtfs
force-pushed
the
document_ssl_expiry
branch
from
4084f63 to
fece8bc
Compare
Author
|
Hm, the CircleCI Tests seem to be failing for reasons unrelated to this PR: Looks like the CI Test environment is having some network Issues. Locally, the tests run fine. |
slrtbtfs
force-pushed
the
document_ssl_expiry
branch
from
fece8bc to
82bb799
Compare
blackbox-exporter currently offers two metrics to measure when TLS Certificates will expire. The difference between them is very subtle, but using `probe_ssl_earliest_cert_expiry` for checking whether a certificate is due to replacement can lead to false positive alerts. This documents the difference between those two. Generally `probe_ssl_last_chain_expiry_timestamp_seconds` seems to be what most people would want to use. Signed-off-by: Tobias Guggenmos <guggenmos@dfn-cert.de>
slrtbtfs
force-pushed
the
document_ssl_expiry
branch
from
82bb799 to
3443a24
Compare
Author
|
CI is passing now after a rebase, so this PR is ready. |
| const ( | ||
| helpSSLEarliestCertExpiry = "Returns last SSL chain expiry in unixtime" | ||
| helpSSLChainExpiryInTimeStamp = "Returns last SSL chain expiry in timestamp" | ||
| helpSSLEarliestCertExpiry = "Returns the earliest expiry of any peer certificate returned by the server as an unix timestamp. This can include certificates that are not validated by TLS clients. In rare server configurations this might return a time in the past, even for valid TLS certificate chains." |
Member
There was a problem hiding this comment.
this feels bit much for the help, can you trim it a bit and make it less verbose?
same for the example below.
if you wish to add more details, please add a section about SSL metrics in README.md to document these in details.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
blackbox-exporter currently offers two metrics to
measure when TLS Certificates will expire.
The difference between those is very subtle, but
using
probe_ssl_earliest_cert_expiryfor checking whether a certificate is due to
replacement can lead to false positive alerts.
This documents the difference between those two.
Generally,
probe_ssl_last_chain_expiry_timestamp_secondsseems to be what most people would want to use.