search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
504 stars 95 forks source link

dnsnames with commas #88

Closed NiceGuyIT closed 2 years ago

NiceGuyIT commented 2 years ago 
ssl_exporter, version 2.3.1 (branch: tags/v2.3.1, revision: 08d9a665b60c14e9f380acca9b6b52e4674bf24a)
  build user:       runner@fv-az186-669
  build date:       20210823-16:44:58
  go version:       go1.15.15
  platform:         linux/amd64

This is a minor issue but the result is propagated through to the emails sent by alertmanager. The dnsnames has a preceding and trailing comma. Using GitHub as an example, notice how the dnsnames label has a comma at the beginning and end. Those commas show up in alertmanager and the emails sent from alertmanager.

curl --silent "localhost:9219/probe?target=github.com:443" | grep 'dnsnames=",'

ssl_cert_not_after{cn="github.com",dnsnames=",github.com,www.github.com,",emails="",ips="",issuer_cn="DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1",ou="",serial_no="19335859262210987870682549325523936958"} 1.648684799e+09
ssl_cert_not_before{cn="github.com",dnsnames=",github.com,www.github.com,",emails="",ips="",issuer_cn="DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1",ou="",serial_no="19335859262210987870682549325523936958"} 1.6166304e+09
ssl_verified_cert_not_after{chain_no="0",cn="github.com",dnsnames=",github.com,www.github.com,",emails="",ips="",issuer_cn="DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1",ou="",serial_no="19335859262210987870682549325523936958"} 1.648684799e+09
ssl_verified_cert_not_before{chain_no="0",cn="github.com",dnsnames=",github.com,www.github.com,",emails="",ips="",issuer_cn="DigiCert High Assurance TLS Hybrid ECC SHA256 2020 CA1",ou="",serial_no="19335859262210987870682549325523936958"} 1.6166304e+09

The source is coming from L450 of metrics.go. The dnsNames(), emailAddresses()and organizationalUnits() functions have the same logic. Is there a reasoning behind having the commas? Can they be removed? The ipAddresses() function has similar logic in that it will have a trailing comma if there is an IPAddresses in the cert.

I understand having commas between multiple entries, but having spurious commas when there is a single entry seems excessive.

ribbybibby commented 2 years ago

Thanks for the issue!

This is by design. It makes it simpler to perform regex matching in relabel configs and follows the convention used in other 'list' type labels in Prometheus: https://www.robustperception.io/little-things-matter.

NiceGuyIT commented 2 years ago

That's interesting. The article talks about using relabel_configs to change internal labels in __meta_consul_tags to enhance downstream information and processes. It took me longer than desired to realize relabel_configs does not work because dnsnames is a metric, not a config. metric_relabel_configs can modify the dnsnames, emails, ips and others that might have a comma.

  metric_relabel_configs:
  - source_labels: [ dnsnames ]
    target_label: dnsnames
    regex: ",(.+),"
    replacement: "$1"
    action: replace

I'm going to close this because the metric_relabel_configs fixes it for me.