Monitoring Certyfikatów SSL z Prometheus i Grafana
SSL
Monitoring
Prometheus
Grafana
DevOps
Observability
Monitoring certyfikatów SSL/TLS to kluczowy element observability stack. W tym przewodniku pokażemy jak zintegrować monitoring certyfikatów z Prometheus i Grafana dla pełnej widoczności i proaktywnych alertów.
Architektura Monitoringu
[Endpoints] → [Exporters] → [Prometheus] → [Grafana]
↓
[Alertmanager]
SSL/TLS Exporters dla Prometheus
1. ssl_exporter
Najbardziej popularny exporter SSL/TLS.
Instalacja:
# Binary release
wget https://github.com/ribbybibby/ssl_exporter/releases/download/v2.4.2/ssl_exporter-2.4.2.linux-amd64.tar.gz
tar xvf ssl_exporter-2.4.2.linux-amd64.tar.gz
sudo mv ssl_exporter /usr/local/bin/
# Service
sudo cat > /etc/systemd/system/ssl_exporter.service <<EOFS
[Unit]
Description=SSL Exporter
After=network.target
[Service]
Type=simple
User=prometheus
ExecStart=/usr/local/bin/ssl_exporter \
--web.listen-address=:9219 \
--web.metrics-path=/metrics
[Install]
WantedBy=multi-user.target
EOFS
sudo systemctl daemon-reload
sudo systemctl enable ssl_exporter
sudo systemctl start ssl_exporter
Konfiguracja Prometheus:
# prometheus.yml
scrape_configs:
- job_name: 'ssl'
metrics_path: /probe
static_configs:
- targets:
- example.com:443
- api.example.com:443
- www.example.com:443
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: localhost:9219
2. blackbox_exporter
Uniwersalny exporter, może też sprawdzać SSL.
Instalacja:
wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.24.0/blackbox_exporter-0.24.0.linux-amd64.tar.gz
tar xvf blackbox_exporter-0.24.0.linux-amd64.tar.gz
sudo mv blackbox_exporter /usr/local/bin/
Konfiguracja:
# blackbox.yml
modules:
http_2xx:
prober: http
timeout: 5s
http:
valid_status_codes: []
method: GET
fail_if_ssl: false
fail_if_not_ssl: false
tls_config:
insecure_skip_verify: false
ssl_expiry:
prober: tcp
timeout: 5s
tcp:
tls: true
tls_config:
insecure_skip_verify: false
Prometheus config:
scrape_configs:
- job_name: 'blackbox'
metrics_path: /probe
params:
module: [ssl_expiry]
static_configs:
- targets:
- https://example.com
- https://api.example.com
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: localhost:9115
Kluczowe Metryki
ssl_exporter Metrics
# Data wygaśnięcia (timestamp)
ssl_cert_not_after
# Data wydania
ssl_cert_not_before
# Informacje o certyfikacie
ssl_cert_subject_common_name
ssl_cert_issuer_common_name
# Status weryfikacji
ssl_tls_connect_success
ssl_prober_success
# TLS version
ssl_tls_version_info
Obliczanie dni do wygaśnięcia
# Dni do wygaśnięcia
(ssl_cert_not_after - time()) / 86400
# Godziny do wygaśnięcia
(ssl_cert_not_after - time()) / 3600
Prometheus Alerts
Alert Rules
# prometheus-rules.yml
groups:
- name: ssl_certificates
rules:
# Alert 30 dni przed wygaśnięciem
- alert: SSLCertExpiringSoon
expr: (ssl_cert_not_after - time()) / 86400 < 30
for: 24h
labels:
severity: warning
annotations:
summary: "SSL certificate expiring soon for {{ $labels.instance }}"
description: "Certificate for {{ $labels.instance }} expires in {{ $value | humanizeDuration }}"
# Alert 7 dni przed wygaśnięciem
- alert: SSLCertExpiringCritical
expr: (ssl_cert_not_after - time()) / 86400 < 7
for: 1h
labels:
severity: critical
annotations:
summary: "SSL certificate expiring CRITICAL for {{ $labels.instance }}"
description: "Certificate expires in {{ $value }} days!"
# Certyfikat wygasł
- alert: SSLCertExpired
expr: ssl_cert_not_after - time() < 0
labels:
severity: critical
annotations:
summary: "SSL certificate EXPIRED for {{ $labels.instance }}"
description: "Certificate has expired!"
# Probe failed
- alert: SSLProbeFailed
expr: ssl_prober_success == 0
for: 5m
labels:
severity: critical
annotations:
summary: "SSL probe failed for {{ $labels.instance }}"
description: "Cannot verify SSL certificate"
# Self-signed certificate
- alert: SSLSelfSignedCertificate
expr: ssl_cert_issuer_common_name == ssl_cert_subject_common_name
labels:
severity: warning
annotations:
summary: "Self-signed certificate detected for {{ $labels.instance }}"
Alertmanager Configuration
# alertmanager.yml
global:
resolve_timeout: 5m
route:
group_by: ['alertname', 'cluster']
group_wait: 10s
group_interval: 10s
repeat_interval: 12h
receiver: 'team-ssl'
routes:
- match:
severity: critical
receiver: 'team-ssl-pager'
continue: true
receivers:
- name: 'team-ssl'
email_configs:
- to: '[email protected]'
from: '[email protected]'
smarthost: 'smtp.example.com:587'
slack_configs:
- api_url: 'https://hooks.slack.com/services/YOUR/SLACK/WEBHOOK'
channel: '#ssl-alerts'
title: 'SSL Certificate Alert'
- name: 'team-ssl-pager'
pagerduty_configs:
- service_key: 'YOUR_PAGERDUTY_KEY'
webhook_configs:
- url: 'https://your-webhook.com/alert'
Grafana Dashboards
Dashboard JSON
{
"dashboard": {
"title": "SSL/TLS Certificates",
"panels": [
{
"title": "Days Until Expiry",
"targets": [
{
"expr": "(ssl_cert_not_after - time()) / 86400"
}
],
"type": "graph"
},
{
"title": "Certificates Expiring Soon",
"targets": [
{
"expr": "count((ssl_cert_not_after - time()) / 86400 < 30)"
}
],
"type": "stat"
}
]
}
}
Import Dashboard
- Grafana → Dashboards → Import
- ID: 14662 (SSL/TLS Certificate Dashboard)
- Wybierz Prometheus datasource
- Import
Custom Panels
Panel 1: Certificate Expiry Table
sort_desc((ssl_cert_not_after - time()) / 86400)
Panel 2: Certificate Age
(time() - ssl_cert_not_before) / 86400
Panel 3: TLS Version Distribution
count by (ssl_tls_version) (ssl_tls_version_info)
Docker Compose Stack
version: '3.8'
services:
prometheus:
image: prom/prometheus:latest
volumes:
- ./prometheus.yml:/etc/prometheus/prometheus.yml
- ./rules.yml:/etc/prometheus/rules.yml
- prometheus-data:/prometheus
ports:
- "9090:9090"
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
ssl_exporter:
image: ribbybibby/ssl-exporter:latest
ports:
- "9219:9219"
command:
- '--web.listen-address=:9219'
grafana:
image: grafana/grafana:latest
environment:
- GF_SECURITY_ADMIN_PASSWORD=admin
volumes:
- grafana-data:/var/lib/grafana
ports:
- "3000:3000"
depends_on:
- prometheus
alertmanager:
image: prom/alertmanager:latest
volumes:
- ./alertmanager.yml:/etc/alertmanager/alertmanager.yml
ports:
- "9093:9093"
volumes:
prometheus-data:
grafana-data:
Kubernetes Deployment
# ssl-exporter-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: ssl-exporter
spec:
replicas: 1
selector:
matchLabels:
app: ssl-exporter
template:
metadata:
labels:
app: ssl-exporter
spec:
containers:
- name: ssl-exporter
image: ribbybibby/ssl-exporter:latest
ports:
- containerPort: 9219
---
apiVersion: v1
kind: Service
metadata:
name: ssl-exporter
labels:
app: ssl-exporter
spec:
ports:
- port: 9219
targetPort: 9219
selector:
app: ssl-exporter
---
# ServiceMonitor for Prometheus Operator
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: ssl-monitoring
spec:
selector:
matchLabels:
app: ssl-exporter
endpoints:
- port: metrics
interval: 60s
path: /probe
params:
target:
- https://example.com
- https://api.example.com
Best Practices
1. Częstotliwość Scrape
# Nie za często - certyfikaty się nie zmieniają co minutę
scrape_interval: 5m # 5 minut wystarczy
scrape_timeout: 10s
2. Grupowanie Alertów
# Grupuj alerty by domain
route:
group_by: ['instance', 'alertname']
group_wait: 30s
group_interval: 5m
3. Retention
# Prometheus
--storage.tsdb.retention.time=90d # 3 miesiące historii
4. High Availability
# Prometheus HA
global:
external_labels:
cluster: 'prod'
replica: 'prometheus-1'
Integracje
Slack
slack_configs:
- api_url: 'https://hooks.slack.com/services/YOUR/WEBHOOK'
channel: '#ssl-alerts'
title: '{{ .GroupLabels.alertname }}'
text: '{{ range .Alerts }}{{ .Annotations.description }}{{ end }}'
PagerDuty
pagerduty_configs:
- service_key: 'YOUR_KEY'
description: '{{ .GroupLabels.alertname }}'
Webhook
webhook_configs:
- url: 'https://your-webhook.com/alert'
send_resolved: true
Troubleshooting
Exporter nie działa
# Check logs
journalctl -u ssl_exporter -f
# Test manually
curl http://localhost:9219/probe?target=example.com:443
Brak metryk w Prometheus
# Check targets
curl http://localhost:9090/api/v1/targets
# Query metrics
curl 'http://localhost:9090/api/v1/query?query=ssl_cert_not_after'
Alerty nie działają
# Check Alertmanager
curl http://localhost:9093/api/v1/status
# Test alert
curl -X POST http://localhost:9093/api/v1/alerts -d '[...]'
Podsumowanie
Integracja monitoringu SSL/TLS z Prometheus i Grafana daje:
- Widoczność - wszystkie certyfikaty w jednym miejscu
- Proaktywność - alerty przed wygaśnięciem
- Historię - tracking zmian certyfikatów
- Automatyzację - integracja z CI/CD
Połącz to z narzędziami jak CrtMgr dla dodatkowo zewnętrznego monitoring i masz kompletny stack observability dla certyfikatów.
You can’t improve what you don’t measure - monitoruj certyfikaty!