From 82bb799f5f68154a32c48c3207a5e50a7acc41da Mon Sep 17 00:00:00 2001 From: Tobias Date: Tue, 3 Dec 2024 13:19:16 +0100 Subject: [PATCH] Document difference between `ssl_expiry` metrics blackbox-exporter currently offers two metrics to measure when TLS Certificates will expire. The difference between them is very subtle, but using `probe_ssl_earliest_cert_expiry` for checking whether a certificate is due to replacement can lead to false positive alerts. This documents the difference between those two. Generally `probe_ssl_last_chain_expiry_timestamp_seconds` seems to be what most people would want to use. Signed-off-by: Tobias Guggenmos --- prober/prober.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/prober/prober.go b/prober/prober.go index 5988c0327..f77440fa6 100644 --- a/prober/prober.go +++ b/prober/prober.go @@ -25,8 +25,8 @@ import ( type ProbeFn func(ctx context.Context, target string, config config.Module, registry *prometheus.Registry, logger *slog.Logger) bool const ( - helpSSLEarliestCertExpiry = "Returns last SSL chain expiry in unixtime" - helpSSLChainExpiryInTimeStamp = "Returns last SSL chain expiry in timestamp" + helpSSLEarliestCertExpiry = "Returns the earliest expiry of any peer certificate returned by the server as an unix timestamp. This can include certificates that are not validated by TLS clients. In rare server configurations this might return a time in the past, even for valid TLS certificate chains." + helpSSLChainExpiryInTimeStamp = "Returns the earliest expiry of any validated TLS certificate as an unix timestamp. This indicates the time when connections will start to fail, unless a certificate is renewed." helpProbeTLSInfo = "Returns the TLS version used or NaN when unknown" helpProbeTLSCipher = "Returns the TLS cipher negotiated during handshake" )