Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

2
628

In this tutorial, you will learn how to monitor SSL/TLS certificate expiry with Prometheus and Grafana. Well, with the assumption that you are already aware about the implications of an expired SSL/TLS certificate, we will be discussing how to monitor SSL/TLS certificates to avoid encountering such issues.

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Note that, in this setup, we are using a single node hosting Telegraf (to poll certificate stats), Prometheus and Grafana.

Install and setup Grafana

You can use any of the guides below or any other guide to install and setup Grafana;

Install latest Grafana on Debian 10

Install Latest Grafana on CentOS 8

Install and Setup Prometheus Server

Similarly, you can use any of the guides below or any other guide to install and setup Prometheus

Install and Setup Prometheus on Ubuntu 20.04

Install and Configure Prometheus on CentOS 8

Install Prometheus on Debian 10

Install and setup Telegraf

Telegraf is a plugin-driven server agent that is used for collecting and sending metrics and events from databases, systems, and IoT sensors.

Telegraf through its x509_cert plugin, which provides statistics about X509 certificate accessible via local file or network connection. Such statistics can be sent to Prometheus where then, can be visualized using Grafana.

Before you can install Telegraf, ensure that the time is correctly set. Telegraf uses a host’s local time in UTC to assign timestamps to data. Use the Network Time Protocol (NTP) to synchronize time between hosts; if hosts’ clocks aren’t synchronized with NTP, the timestamps on the data can be inaccurate.

In our setup, we are using a Debian system, hence you can install Telegraf as follows;

wget -qO- https://repos.influxdata.com/influxdb.key | sudo apt-key add -
echo "deb https://repos.influxdata.com/debian buster stable" | sudo tee /etc/apt/sources.list.d/influxdb.list
apt update
apt install telegraf

Configuring Telegraf

Once Telegraf is installed and running, configure it to enable Prometheus to scrape metrics from it;

vim
# # Configuration for the Prometheus client to spawn
 [[outputs.prometheus_client]]
#   ## Address to listen on
   listen = "192.168.59.12:9273"
   metric_version = 2

Next, configure Telegraf to poll SSL certificate metrics, either local file or from network connection.

# # Reads metrics from a SSL certificate
 [[inputs.x509_cert]]
#   ## List certificate sources
#   sources = ["/etc/ssl/certs/ssl-cert-snakeoil.pem", "tcp://example.org:443"]
   sources = ["https://kifarunix-demo.com:443"]
   insecure_skip_verify = true

You can disable the default input plugins: cpu, disk, diskio, kernel, mem, processes, swap and system by commenting them.

Save and exit the configuration file.

The x509 certificate input plugin metrics include;

  • x509_cert
    • tags:
      • source – source of the certificate
      • organization
      • organizational_unit
      • country
      • province
      • locality
      • verification
      • serial_number
      • signature_algorithm
      • public_key_algorithm
      • issuer_common_name
      • issuer_serial_number
      • san
    • fields:
      • verification_code (int)
      • verification_error (string)
      • expiry (int, seconds)
      • age (int, seconds)
      • startdate (int, seconds)
      • enddate (int, seconds)

Restart Telegraf;

systemctl restart telegraf

Add Telegraf Target to Prometheus

For Prometheus to be able to scrape the SSL certificate metrics collected by the Telegraf, open the prometheus.yml configuration and add the target like;

  - job_name: 'SSL/TLS Certs'
    static_configs:
    - targets: ['192.168.59.12:9273']

See my configuration file below.

vim /etc/prometheus/prometheus.yml
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
    - targets: ['localhost:9090']

  - job_name: 'SSL/TLS Certs'
    static_configs:
    - targets: ['192.168.59.12:9273']

Save and exit the file;

Restart Prometheus;

systemctl restart prometheus

Verify the status of Prometheus Target

You can check status of the Prometheus telegraf target;

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Also, check the Prometheus queries for x509* metrics.

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Running the x509_cert_expiry query and filtering out some metrics. This is the expiry query we used, x509_cert_expiry{san!=""}, which filters out any metric that do not contain san value.

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Integrate Prometheus with Grafana For Monitoring

You can now integrate Prometheus with Grafana by adding Prometheus data source to Grafana. Check the link below;

Integrate Prometheus with Grafana For Monitoring

Data sources, once you have added the Prometheus data source.

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Once you have integrated Prometheus with Grafana, you can now proceed to configure Prometheus to poll your servers certificate metrics and sent them to Grafana for visualization.

Create SSL Certificate Expiry Dashboard.

On the left menu panel, click the + (plus sign) > Dashboard > Add an empty panel.

Sample Mock Dashboard;

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Save the dashboard once you are done setting it up.

Monitor SSL/TLS Certificate Expiry with Prometheus and Grafana

Here is the sample JSON file for my dashboard above;

{
  "annotations": {
    "list": [
      {
        "builtIn": 1,
        "datasource": "-- Grafana --",
        "enable": true,
        "hide": true,
        "iconColor": "rgba(0, 211, 255, 1)",
        "name": "Annotations & Alerts",
        "type": "dashboard"
      }
    ]
  },
  "editable": true,
  "gnetId": null,
  "graphTooltip": 0,
  "id": 2,
  "links": [],
  "panels": [
    {
      "datasource": null,
      "description": "",
      "fieldConfig": {
        "defaults": {
          "color": {
            "mode": "thresholds"
          },
          "custom": {
            "align": "left",
            "filterable": false
          },
          "mappings": [],
          "thresholds": {
            "mode": "absolute",
            "steps": [
              {
                "color": "green",
                "value": null
              },
              {
                "color": "red",
                "value": 80
              }
            ]
          }
        },
        "overrides": [
          {
            "matcher": {
              "id": "byName",
              "options": "Value #A"
            },
            "properties": [
              {
                "id": "unit",
                "value": "dtdurations"
              },
              {
                "id": "decimals",
                "value": 2
              },
              {
                "id": "custom.displayMode",
                "value": "color-background"
              },
              {
                "id": "displayName",
                "value": "Expiry Date"
              },
              {
                "id": "thresholds",
                "value": {
                  "mode": "absolute",
                  "steps": [
                    {
                      "color": "red",
                      "value": null
                    },
                    {
                      "color": "semi-dark-orange",
                      "value": 864000
                    },
                    {
                      "color": "green",
                      "value": 2592000
                    }
                  ]
                }
              }
            ]
          }
        ]
      },
      "gridPos": {
        "h": 5,
        "w": 11,
        "x": 0,
        "y": 0
      },
      "id": 2,
      "options": {
        "frameIndex": 1,
        "showHeader": true
      },
      "pluginVersion": "7.5.2",
      "targets": [
        {
          "exemplar": true,
          "expr": "x509_cert_expiry{san!=\"\"}",
          "format": "table",
          "instant": true,
          "interval": "",
          "legendFormat": "",
          "refId": "A"
        }
      ],
      "title": "SSL/TLS Certificate Expiry Status",
      "transformations": [
        {
          "id": "merge",
          "options": {}
        },
        {
          "id": "organize",
          "options": {
            "excludeByName": {
              "__name__": true,
              "common_name": false,
              "host": true,
              "instance": true,
              "issuer_common_name": true,
              "job": true,
              "public_key_algorithm": true,
              "san": true,
              "serial_number": true,
              "signature_algorithm": true,
              "verification": true,
              "verification_error": true
            },
            "indexByName": {},
            "renameByName": {}
          }
        }
      ],
      "type": "table"
    }
  ],
  "schemaVersion": 27,
  "style": "dark",
  "tags": [],
  "templating": {
    "list": []
  },
  "time": {
    "from": "now-6h",
    "to": "now"
  },
  "timepicker": {},
  "timezone": "",
  "title": "SSL/TLS Certificate Expiry Status",
  "uid": "nRouqJ_Gk",
  "version": 1
}

And that is how you can easily monitor SSL/TLS certificate expiry with Prometheus and Grafana.

For any improvements, drop in the comments section.

Liking our content? You can buy us a coffee!

Other related tutorials

Monitor SSL/TLS Certificates Expiry with Nagios

Monitor Linux System Metrics with Prometheus Node Exporter

Monitoring Gitlab Metrics with Prometheus and Grafana

Monitor OpenVPN Connections with Prometheus and Grafana

Install OpenNMS Network Monitoring tool on Ubuntu 20.04

2 COMMENTS

  1. Hi,
    the article is really nice. I was wondering if it is possible to configure alerts to get an email if a certificate is going to expire. I did not find the way to do that.

    Thank you very much.

LEAVE A REPLY

Please enter your comment!
Please enter your name here