No cert metrics when target has expired or invalid certificate

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates

Apache License 2.0

520 stars 97 forks source link

No cert metrics when target has expired or invalid certificate #37

Closed bingshiao closed 4 years ago

bingshiao commented 4 years ago

Hi,

When probing a target with invalid or expired certificate, metrics (ssl_cert_not_after, ssl_cert_not_before) are not being populated.

$ curl -s http://localhost:9219/probe?target=example.com:443
# HELP ssl_prober The prober used by the exporter to connect to the target
# TYPE ssl_prober gauge
ssl_prober{prober="tcp"} 1
# HELP ssl_tls_connect_success If the TLS connection was a success
# TYPE ssl_tls_connect_success gauge
ssl_tls_connect_success 0

ssl             | time="2020-07-03T01:46:28Z" level=error msg="x509: certificate has expired or is not yet valid: current time 2020-07-03T01:46:28Z is after 2020-06-22T17:01:09Z" source="ssl_exporter.go:78"

Without ssl_cert_not_after or ssl_cert_not_before, I cannot see the expiration date and other attribute on example.com certificate.

Is there a way to force sampling the metrics even-though there is an error?

Thanks,

ribbybibby commented 4 years ago

Hi @bingshiao,

You could set up a module which skips certificate verification.

ssl_exporter.yaml:

modules:
  tcp_insecure:
    prober: tcp
    tls_config:
      insecure_skip_verify: true

Then run the exporter, pointing to that file:

$ ./ssl_exporter --config.file=ssl_exporter.yaml

And then:

$ curl -s http://localhost:9219/probe?target=example.com:443&module=tcp_insecure

bingshiao commented 4 years ago

Thanks @ribbybibby . That works.

alvnov commented 1 year ago

Greetings! I follow the same path as @bingshiao, but I get an error:

curl -s http://localhost:9219/probe?target=example.com:443
Module parameter must be set

My config is the same:

modules:
 tcp_insecure:
    prober: tcp
    tls_config:
      insecure_skip_verify: true

Unfortunately, I don't understand what parameter the module should have. Please excuse me if this is a stupid question. But I have been unable to solve this case for 2 days. ((

bingshiao commented 1 year ago

Have you try adding &module=tcp_insecure to your curl command?

curl -s http://localhost:9219/probe?target=example.com:443&module=tcp_insecure

alvnov commented 1 year ago

Have you try adding &module=tcp_insecure to your curl command?
curl -s http://localhost:9219/probe?target=example.com:443&module=tcp_insecure

Thank you so much! I understood, it was really necessary to form the request correctly. And to enable this module in prometheus, you need to add this section to its configuration file: params: module: ["tcp_insecure"]

  - job_name: 'ssl'
    metrics_path: /probe
    params:
      module: ["tcp_insecure"]
    scrape_interval: 2m
    static_configs:
      - targets:
        - 'example.com:443'
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: localhost:9219