[转帖]SSL Certificate Exporter

ssl,certificate,exporter · 浏览次数 : 0

小编点评

**生成内容时需要带简单的排版** **排版说明** * 使用双引号将字符串包括起来。 * 使用单引号将字符串包括起来。 * 使用反引号将字符串引号包含起来。 * 使用\字符将字符串转义。 * 使用\n字符将换行符插入。 * 使用\t字符将制表符插入。 **示例** ```python #字符串拼接 name = "John" + "Doe" #字符串引号 quote = "'Hello world'" #字符串转义 escaped = "\n" #换行符 print("\n") #制表符 print("\t") ``` **排版示例** ```python name = "John" + "Doe" age = 30 country = "USA" print("name:", name) print("age:", age) print("country:", country) ``` **输出** ``` name: John Doe age: 30 country: USA ```

正文

https://github.com/ribbybibby/ssl_exporter

 

Exports metrics for certificates collected from various sources:

The metrics are labelled with fields from the certificate, which allows for informational dashboards and flexible alert routing.

Building

make
./ssl_exporter <flags>

Similarly to the blackbox_exporter, visiting http://localhost:9219/probe?target=example.com:443 will return certificate metrics for example.com. The ssl_probe_success metric indicates if the probe has been successful.

Docker

docker run -p 9219:9219 ribbybibby/ssl-exporter:latest <flags>

Release process

  • Create a release in Github with a semver tag and GH actions will:
    • Add a changelog
    • Upload binaries
    • Build and push a Docker image

Usage

usage: ssl_exporter [<flags>]

Flags:
  -h, --help                     Show context-sensitive help (also try --help-long and
                                 --help-man).
      --web.listen-address=":9219"
                                 Address to listen on for web interface and telemetry.
      --web.metrics-path="/metrics"
                                 Path under which to expose metrics
      --web.probe-path="/probe"  Path under which to expose the probe endpoint
      --config.file=""           SSL exporter configuration file
      --log.level="info"         Only log messages with the given severity or above. Valid
                                 levels: [debug, info, warn, error, fatal]
      --log.format="logger:stderr"
                                 Set the log target and format. Example:
                                 "logger:syslog?appname=bob&local=7" or
                                 "logger:stdout?json=true"
      --version                  Show application version.

Metrics

MetricMeaningLabelsProbers
ssl_cert_not_after The date after which a peer certificate expires. Expressed as a Unix Epoch Time. serial_no, issuer_cn, cn, dnsnames, ips, emails, ou tcp, https
ssl_cert_not_before The date before which a peer certificate is not valid. Expressed as a Unix Epoch Time. serial_no, issuer_cn, cn, dnsnames, ips, emails, ou tcp, https
ssl_file_cert_not_after The date after which a certificate found by the file prober expires. Expressed as a Unix Epoch Time. file, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou file
ssl_file_cert_not_before The date before which a certificate found by the file prober is not valid. Expressed as a Unix Epoch Time. file, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou file
ssl_kubernetes_cert_not_after The date after which a certificate found by the kubernetes prober expires. Expressed as a Unix Epoch Time. namespace, secret, key, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou kubernetes
ssl_kubernetes_cert_not_before The date before which a certificate found by the kubernetes prober is not valid. Expressed as a Unix Epoch Time. namespace, secret, key, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou kubernetes
ssl_kubeconfig_cert_not_after The date after which a certificate found by the kubeconfig prober expires. Expressed as a Unix Epoch Time. kubeconfig, name, type, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou kubeconfig
ssl_kubeconfig_cert_not_before The date before which a certificate found by the kubeconfig prober is not valid. Expressed as a Unix Epoch Time. kubeconfig, name, type, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou kubeconfig
ssl_ocsp_response_next_update The nextUpdate value in the OCSP response. Expressed as a Unix Epoch Time   tcp, https
ssl_ocsp_response_produced_at The producedAt value in the OCSP response. Expressed as a Unix Epoch Time   tcp, https
ssl_ocsp_response_revoked_at The revocationTime value in the OCSP response. Expressed as a Unix Epoch Time   tcp, https
ssl_ocsp_response_status The status in the OCSP response. 0=Good 1=Revoked 2=Unknown   tcp, https
ssl_ocsp_response_stapled Does the connection state contain a stapled OCSP response? Boolean.   tcp, https
ssl_ocsp_response_this_update The thisUpdate value in the OCSP response. Expressed as a Unix Epoch Time   tcp, https
ssl_probe_success Was the probe successful? Boolean.   all
ssl_prober The prober used by the exporter to connect to the target. Boolean. prober all
ssl_tls_version_info The TLS version used. Always 1. version tcp, https
ssl_verified_cert_not_after The date after which a certificate in the verified chain expires. Expressed as a Unix Epoch Time. chain_no, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou tcp, https
ssl_verified_cert_not_before The date before which a certificate in the verified chain is not valid. Expressed as a Unix Epoch Time. chain_no, serial_no, issuer_cn, cn, dnsnames, ips, emails, ou tcp, https

Configuration

TCP

Just like with the blackbox_exporter, you should pass the targets to a single instance of the exporter in a scrape config with a clever bit of relabelling. This allows you to leverage service discovery and keeps configuration centralised to your Prometheus config.

scrape_configs:
  - job_name: "ssl"
    metrics_path: /probe
    static_configs:
      - targets:
          - example.com:443
          - prometheus.io:443
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 127.0.0.1:9219 # SSL exporter.

HTTPS

By default the exporter will make a TCP connection to the target. This will be suitable for most cases but if you want to take advantage of http proxying you can use a HTTPS client by setting the https module parameter:

scrape_configs:
  - job_name: "ssl"
    metrics_path: /probe
    params:
      module: ["https"] # <-----
    static_configs:
      - targets:
          - example.com:443
          - prometheus.io:443
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 127.0.0.1:9219

This will use proxy servers discovered by the environment variables HTTP_PROXYHTTPS_PROXY and ALL_PROXY. Or, you can set the proxy_url option in the module configuration.

The latter takes precedence.

File

The file prober exports ssl_file_cert_not_after and ssl_file_cert_not_before for PEM encoded certificates found in local files.

Files local to the exporter can be scraped by providing them as the target parameter:

curl "localhost:9219/probe?module=file&target=/etc/ssl/cert.pem"

The target parameter supports globbing (as provided by the doublestar package), which allows you to capture multiple files at once:

curl "localhost:9219/probe?module=file&target=/etc/ssl/**/*.pem"

One specific usage of this prober could be to run the exporter as a DaemonSet in Kubernetes and then scrape each instance to check the expiry of certificates on each node:

scrape_configs:
  - job_name: "ssl-kubernetes-file"
    metrics_path: /probe
    params:
      module: ["file"]
      target: ["/etc/kubernetes/**/*.crt"]
    kubernetes_sd_configs:
      - role: node
    relabel_configs:
      - source_labels: [__address__]
        regex: ^(.*):(.*)$
        target_label: __address__
        replacement: ${1}:9219

Kubernetes

The kubernetes prober exports ssl_kubernetes_cert_not_after and ssl_kubernetes_cert_not_before for PEM encoded certificates found in secrets of type kubernetes.io/tls.

Provide the namespace and name of the secret in the form <namespace>/<name> as the target:

curl "localhost:9219/probe?module=kubernetes&target=kube-system/secret-name"

Both the namespace and name portions of the target support glob matching (as provided by the doublestar package):

curl "localhost:9219/probe?module=kubernetes&target=kube-system/*"

curl "localhost:9219/probe?module=kubernetes&target=*/*"

The exporter retrieves credentials and context configuration from the following sources in the following order:

  • The kubeconfig path in the module configuration
  • The $KUBECONFIG environment variable
  • The default configuration file ($HOME/.kube/config)
  • The in-cluster environment, if running in a pod
- job_name: "ssl-kubernetes"
  metrics_path: /probe
  params:
    module: ["kubernetes"]
  static_configs:
   - targets:
      - "test-namespace/nginx-cert"
  relabel_configs:
   - source_labels: [ __address__ ]
     target_label: __param_target
   - source_labels: [ __param_target ]
     target_label: instance
   - target_label: __address__
     replacement: 127.0.0.1:9219

Kubeconfig

The kubeconfig prober exports ssl_kubeconfig_cert_not_after and ssl_kubeconfig_cert_not_before for PEM encoded certificates found in the specified kubeconfig file.

Kubeconfigs local to the exporter can be scraped by providing them as the target parameter:

curl "localhost:9219/probe?module=kubeconfig&target=/etc/kubernetes/admin.conf"

One specific usage of this prober could be to run the exporter as a DaemonSet in Kubernetes and then scrape each instance to check the expiry of certificates on each node:

scrape_configs:
  - job_name: "ssl-kubernetes-kubeconfig"
    metrics_path: /probe
    params:
      module: ["kubeconfig"]
      target: ["/etc/kubernetes/admin.conf"]
    kubernetes_sd_configs:
      - role: node
    relabel_configs:
      - source_labels: [__address__]
        regex: ^(.*):(.*)$
        target_label: __address__
        replacement: ${1}:9219

Configuration file

You can provide further module configuration by providing the path to a configuration file with --config.file. The file is written in yaml format, defined by the schema below.

# The default module to use. If omitted, then the module must be provided by the
# 'module' query parameter
default_module: <string>

# Module configuration
modules: [<module>]

<module>

# The type of probe (https, tcp, file, kubernetes, kubeconfig)
prober: <prober_string>

# The probe target. If set, then the 'target' query parameter is ignored.
# If omitted, then the 'target' query parameter is required.
target: <string>

# How long the probe will wait before giving up.
[ timeout: <duration> ]

# Configuration for TLS
[ tls_config: <tls_config> ]

# The specific probe configuration
[ https: <https_probe> ]
[ tcp: <tcp_probe> ]
[ kubernetes: <kubernetes_probe> ]

<tls_config>

# Disable target certificate validation.
[ insecure_skip_verify: <boolean> | default = false ]

# Configure TLS renegotiation support.
# Valid options: never, once, freely
[ renegotiation: <string> | default = never ]

# The CA cert to use for the targets.
[ ca_file: <filename> ]

# The client cert file for the targets.
[ cert_file: <filename> ]

# The client key file for the targets.
[ key_file: <filename> ]

# Used to verify the hostname for the targets.
[ server_name: <string> ]

<https_probe>

# HTTP proxy server to use to connect to the targets.
[ proxy_url: <string> ]

<tcp_probe>

# Use the STARTTLS command before starting TLS for those protocols that support it (smtp, ftp, imap, pop3, postgres)
[ starttls: <string> ]

<kubernetes_probe>

# The path of a kubeconfig file to configure the probe
[ kubeconfig: <string> ]

Example Queries

Certificates that expire within 7 days:

ssl_cert_not_after - time() < 86400 * 7

Wildcard certificates that are expiring:

ssl_cert_not_after{cn=~"\*.*"} - time() < 86400 * 7

Certificates that expire within 7 days in the verified chain that expires latest:

ssl_verified_cert_not_after{chain_no="0"} - time() < 86400 * 7

Number of certificates presented by the server:

count(ssl_cert_not_after) by (instance)

Identify failed probes:

ssl_probe_success == 0

Peer Certificates vs Verified Chain Certificates

Metrics are exported for the NotAfter and NotBefore fields for peer certificates as well as for the verified chain that is constructed by the client.

The former only includes the certificates that are served explicitly by the target, while the latter can contain multiple chains of trust that are constructed from root certificates held by the client to the target's server certificate.

This has important implications when monitoring certificate expiry.

For instance, it may be the case that ssl_cert_not_after reports that the root certificate served by the target is expiring soon even though clients can form another, much longer lived, chain of trust using another valid root certificate held locally. In this case, you may want to use ssl_verified_cert_not_after to alert on expiry instead, as this will contain the chain that the client actually constructs:

ssl_verified_cert_not_after{chain_no="0"} - time() < 86400 * 7

Each chain is numbered by the exporter in reverse order of expiry, so that chain_no="0" is the chain that will expire the latest. Therefore the query above will only alert when the chain of trust between the exporter and the target is truly nearing expiry.

It's very important to note that a query of this kind only represents the chain of trust between the exporter and the target. Genuine clients may hold different root certs than the exporter and therefore have different verified chains of trust.

Grafana

You can find a simple dashboard here that tracks certificate expiration dates and target connection errors.

与[转帖]SSL Certificate Exporter相似的内容:

[转帖]SSL Certificate Exporter

https://github.com/ribbybibby/ssl_exporter Exports metrics for certificates collected from various sources: TCP probes HTTPS probes PEM files Kubernet

[转帖]忽略证书的方法

在使用wget命令来获取文件的时候,我们可以使用wget命令的 –-no-check-certificate 选项来忽略证书的认证。 那么在执行curl命令是否也可以忽略SSL证书的警告信息呢。当然是有的,我们可以在执行curl 命令的时候,使用 -k 或者 –insecure 选项,来忽略签名认证

[转帖]SSL 配置优化的若干建议

转载自本人博客:https://dev.tail0r.com/ssl-optimization/ 如果你配置SSL只是为了网站的网址前有一把锁的标志,那不如直接送你把锁好了。 别想了,这句话不是哪个安全专家说的,是我说的(逃) 今天写一篇文章记录一下自己 SSL 的配置优化过程。以下设置均为 Ngi

[转帖]SSL数字证书分类DV/OV/EV

SSL证书的分类主要是通过下面两个维度进行分类: 1.根据验证模式分类 根据CA机构对申请者的身份审核范围分为:DV证书、OV证书、EV证书。 1.1.DV证书(域名证书) DV(Domain Validated)证书是最常见的一种证书类型,大多数免费证书都此类证书。CA机构获取CSR证书请求后,从

[转帖]何为SSL证书以及SSL证书的类型都有哪些

http://www.tuidc.com/helpinfo/28573.html 简述: 什么是SSL证书呢?我们都知道目前互联网安全威胁愈演愈烈,各类入侵、劫持事件层出不穷,欺诈、钓鱼网站比比皆是。https加密传输方案在传输层可有效防止他人截获,同时客户端浏 什么是SSL证书呢?我们都知道目前互

[转帖]Python3 ssl模块不可用的问题

https://www.cnblogs.com/minglee/p/9232673.html 编译安装完Python3之后,使用pip来安装python库,发现了如下报错: $ pip install numpy pip is configured with locations that requi

[转帖] 一次SSL握手异常,我发现JDK还有发行版区别

https://www.cnblogs.com/codelogs/p/16633704.html 简介# 最近,我们一个多机房部署的服务,调用方反馈有问题,在调用新加坡机房时正常,而调用印度机房则报SSL握手异常。 排查花了一些时间,同时也积累了一些经验,故记录一下,读完本文,你将了解到如下内容:

[转帖]一次SSL握手异常,我发现JDK还有发行版区别

https://www.cnblogs.com/codelogs/p/16633704.html 原创:扣钉日记(微信公众号ID:codelogs),欢迎分享,转载请保留出处。 简介# 最近,我们一个多机房部署的服务,调用方反馈有问题,在调用新加坡机房时正常,而调用印度机房则报SSL握手异常。 排查

[转帖]jmeter SSL证书相关配置

在实际工作中,我们大多数接口都是用的HTTPS来保证安全,使用jmeter测试HTTPS请求是如何配置证书呢? 1.最简单的方法,在选项里选择SSL管理器,然后选择相应的证书即可 在弹出的选择框选择证书即可,亲测可以使用.p12证书,因为我们公司用的是p12类型证书,当发起HTTPS请求时,如果设置

[转帖]SpringBoot配置SSL 坑点总结【密码验证失败、连接不安全】

文章目录 前言1.证书绑定问题2.证书和密码不匹配3.yaml配置文件问题3.1 解密类型和证书类型是相关的3.2 配置文件参数混淆 后记 前言 在SpringBoot服务中配置ssl,无非就是下载证书设置一下配置文件的问题,这里主要记录我在配置的过程中遇到的坑点。 如果是新手上道的话建议结合其他的