Prometheus: Continuous Monitoring of SSL Certificates
Introduction
Having a complete continious monitoring solution is crucial as it provides real-time feedback on the overall health of IT infrastructure including networks, applications and services deployed in the cloud or on-premises. Thus, i have covered through my previous articles the basics to get started with prometheus which is actually the most popular open-source monitoring software in the DevOps industry.
Checkout my previous articles in order to get started with prometheus, grafana and alertmanager:
Today’s article expands the monitoring solution to cover not only the IT infrastructure, applications and services, but also SSL certificates.
Using valid SSL certificates is a must, and since SSL certificates have expiration dates, monitoring them for validity is critical to ensure not ending up with an invalid or expired certificate and consequently an insecure service.
This article is broken up into 3 separate sections :
- The setup of node-cert-exporter to monitor SSL certificates.
- the setup of grafana dashboard to visualize SSL certificate expirations.
- The setup of alert-manager to raise alerts when SSL certificates are about to expire.
It is a continuation of the setup explained in my previous articles.
The setup of node-cert-exporter
- Install the node-cert-exporter from github,
wget https://github.com/amimof/node-cert-exporter/releases/latest/download/node-cert-exporter-linux-amd642. Make the node-cert-exporter executable
sudo mv node-cert-exporter-linux-amd64 /usr/local/bin
sudo chmod +x /usr/local/bin/node-cert-exporter-linux-amd643. Create the node-cert-exporter user
sudo useradd -rs /bin/false node-cert-exporter4. Make the node-cert-exporter user the owner of the exporter executable.
sudo chown node-cert-exporter:node-cert-exporter /usr/local/bin/node-cert-exporter-linux-amd645. Configure the node-cert-exporter service
cd /lib/systemd/system
sudo nano node-cert-exporter.serviceThen put the following
[Unit]
Description=Node Cert Exporter
Wants=network-online.target
After=network-online.target
[Service]
Type=simple
User=node-cert-exporter
Group=node-cert-exporter
ExecStart=/usr/local/bin/node-cert-exporter-linux-amd64 --path="put-here-the-path-to-your-ssl-certificates" --listen your-ip:9117
Restart=always[Install]
WantedBy=multi-user.target
6. Enable your service,start it and check its status
sudo systemctl enable node-cert-exporter
sudo systemctl start node-cert-exporter
sudo systemctl status node-cert-exporter7. Checkout if the service works correctly
curl http://your-ip:9117/metrics8. Binding the node-cert-exporter to Prometheus
You need to access to prometheus configuration file
cd /etc/prometheus
sudo nano prometheus.ymlUnder the scrape_configs section of your prometheus configuration file, add a new entry for the cert exporter.
- job_name: 'certs_exporter'static_configs:- targets: ['machine-ip:9117']
machine-ip is the IP address of the machine on which the node-cert-exporter is running.
Restart Prometheus for your changes to be applied.
sudo systemctl restart prometheus
sudo systemctl status prometheusThe setup of grafana dashboard
In order to visualize the expiration dates of SSL certificates on a grafana dashboard, you need to import a pre-configured dashboard to grafana.
Checkout Getting Started with Prometheus and Grafana for more informations about the configuration of a grafana dashboard.
The setup of alert-manager
As explained in Prometheus Alerting with AlertManager. In order to setup alerts when SSL certificates are about to expire, you need to edit the alert manager rule configuration file
nano /etc/prometheus/alert.rules.ymlThen add the following rule
The following configuration will fire an alert one month before SSL certificates expiration date.
Following the configuration in my previous article on AlertManager, you can get alerts through mail, slack or checkout firing alerts directly on your prometheus interface.
