惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

S
Secure Thoughts
Security Latest
Security Latest
Simon Willison's Weblog
Simon Willison's Weblog
O
OpenAI News
GbyAI
GbyAI
L
LINUX DO - 最新话题
A
Arctic Wolf
T
Tor Project blog
G
GRAHAM CLULEY
I
InfoQ
博客园_首页
IT之家
IT之家
The Register - Security
The Register - Security
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Proofpoint News Feed
The GitHub Blog
The GitHub Blog
Blog — PlanetScale
Blog — PlanetScale
N
Netflix TechBlog - Medium
K
Kaspersky official blog
博客园 - 三生石上(FineUI控件)
S
SegmentFault 最新的问题
U
Unit 42
PCI Perspectives
PCI Perspectives
量子位
P
Palo Alto Networks Blog
S
Securelist
T
Troy Hunt's Blog
博客园 - 【当耐特】
Recorded Future
Recorded Future
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
S
Security Affairs
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
博客园 - 聂微东
罗磊的独立博客
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
NISL@THU
NISL@THU
C
Cisco Blogs
T
Threatpost
有赞技术团队
有赞技术团队
Forbes - Security
Forbes - Security
Hugging Face - Blog
Hugging Face - Blog
Last Week in AI
Last Week in AI
T
The Exploit Database - CXSecurity.com
Cloudbric
Cloudbric
Cyberwarzone
Cyberwarzone
Google DeepMind News
Google DeepMind News
C
Cyber Attacks, Cyber Crime and Cyber Security

Posts on Razeen`s Blog

Reflections on Management Training: A Technologist's Perspective on the Path to Leadership UPS Multi-Device Protection: Safeguarding Your NAS and Linux Server From Media Center to AI Assistant: My List of 50 Homelab Services Discussing the Reduction of SSL Certificate Validity to 47 Days Deploy Your Own Running Page One Year Review and Cost Analysis of Tesla Model Y Replacing Disqus Comments with Self-hosted Waline Server Migration: Lessons Learned from Swapping Linux Disk Boards Improve Information Sources with RSS (RSShub + Reeder 5) Razeen`s Blog
Use Prometheus and Grafana to Set Up Your Certificate Monitoring Dashboard
2024-09-07 · via Posts on Razeen`s Blog

Recently, I discovered a Grafana Dashboard that can visualize certificate validity, and it works quite well. The configuration is simple, aggregating the validity period, serial number, issuer, and other information of multiple site certificates, making it clear at a glance. I am sharing this blog post with everyone.

SCR-20240908-kpfk

SSL Exporter

As we all know, Prometheus and Grafana cannot directly obtain certificate information. We need to use some Exporters to convert the information into data metrics for Prometheus, and then query it through PromQL to display it in Grafana reports. Here, we need to use the ssl_exporter developed by a great developer.

ssl-exporter can obtain SSL certificates from multiple sources:

  1. TCP: Automatically sniff the protocol and then obtain the certificate. According to the source code, it supports smtp, ftp, imap, postgres, pop3.
  2. HTTPS: This is the certificate of the HTTPS site.
  3. FILE: Obtain the certificate from a local file of ssl-exporter.
  4. HTTP FILE: Obtain the certificate file through a URL.
  5. k8s: Obtain the certificate from the secrets of the kubernetes.io/tls type in k8s.
  6. KubeConfig: Obtain the certificate from the specified kubeconfig file.

After obtaining the SSL certificate, it will be converted into specific metrics (see the official README for details).

The project also provides a dashboard configuration, which can be imported into Grafana for use.

Below is a detailed operation guide.

Configuration

Use docker-compose to quickly start.

  • File docker-compose.yml
services:
  ssl-exporter:
  image: 'ribbybibby/ssl-exporter:latest'
  container_name: ssl-exporter
  restart: always

  prometheus:
  image: 'prom/prometheus:latest'
  restart: always
  container_name: prometheus
  ports:
    - '19090:9090'
  volumes:
    - './prometheus.yml:/etc/prometheus/prometheus.yml'
    - './promwal:/prometheus'

  grafana:
  image: grafana/grafana:latest
  container_name: grafana
  volumes:
    - './grafana/data:/var/lib/grafana'
  ports:
    - '3000:3000'
  restart: always
  • File ./prometheus.yml

    Here is an example of the https and tcp modes. Just change the domain:port in the targets, as shown below with some example sites.

    If you need to obtain certificates from k8s or other services, you can refer to the example configuration in the official documentation.

scrape_configs:
  - job_name: "https"
  metrics_path: /probe
  params:
    module: ["https"] # <-----
  static_configs:
    - targets:
      - razeen.me:443
      - bing.com:443
      - expired.badssl.com:443
      - revoked.badssl.com:443
      - untrusted-root.badssl.com:443
      - self-signed.badssl.com:443
  relabel_configs:
    - source_labels: [__address__]
    target_label: __param_target
    - source_labels: [__param_target]
    target_label: instance
    - target_label: __address__
    replacement: ssl-exporter:9219

  - job_name: "startssl"
  metrics_path: /probe
  static_configs:
    - targets:
      - smtp.qq.com:587
      - smtp.office365.com:587
      - smtp.163.com:587
  relabel_configs:
    - source_labels: [__address__]
    target_label: __param_target
    - source_labels: [__param_target]
    target_label: instance
    - target_label: __address__
    replacement: ssl-exporter:9219 # SSL exporter.

After starting with docker-compose up -d, wait a moment, and you will see all UP in prometheus Status > Targets.

image-20240908110008619

Access Grafana, the initial username and password are both admin. The first login will prompt you to update the password.

  • In Connections > Add new connection, search for prometheus and click to add;
  • Enter Name and URL. Since we are in the same docker network, we can connect directly using the label and port, i.e., http://prometheus:9090

SCR-20240907-uhia-2

Next, import the dashboard.

  • Go to Dashboards and import, select Import a dashboard
  • Copy dashboard.json, paste and Load, then Import

image-20240908112934039

At this point, you can see the dashboard shown at the beginning of the blog.

Summary

Through this dashboard, the certificate information of the site can be conveniently aggregated and displayed. If it expires, it can be seen at a glance. At the same time, if needed, you can set alert rules based on the expiration time metric to achieve certificate expiration notifications.

However, there are some shortcomings. I added some revoked certificates and self-signed sites, which cannot be distinguished here, so it cannot be relied upon for very professional monitoring. For professional management and monitoring, you can try CertCloud.