forwarder icon indicating copy to clipboard operation
forwarder copied to clipboard
verified publisher icon saucelabs

SC-5230: TLS certificate expiration monitoring

Open budziam opened this issue 1 year ago • 2 comments

This change adds a prometheus gauge metric days_until_cert_expiring that reports the number of days remaining until a TLS certificate expires. It includes a cn and dns_names labels to identify the certificate. This enables alerting and helps prevent outages due to expired certificates.

budziam avatar Apr 24 '25 12:04 budziam 

forwarder_days_until_cert_expiring{cn="",dns_names="SL-2096,localhost"} 364.9999920657754

How about rounding down to the next day?

Choraden avatar Apr 28 '25 07:04 Choraden

How about we also register mitm ca cert?

if hp.config.MITM != nil {
	mc, err := newMartianMITMConfig(hp.config.MITM)
	if err != nil {
		return fmt.Errorf("mitm: %w", err)
	}
	if hp.config.MITM.CACertFile == "" {
		hp.log.Infof("using MITM with self-signed CA certificate, sha256 fingerprint=%x", sha256.Sum256(mc.CACert().Raw))
	} else {
		hp.log.Infof("using MITM")
	}
	registerMITMCacheMetrics(hp.config.PromRegistry, hp.config.PromNamespace+"_mitm_", mc.CacheMetrics)
	hp.mitmCACert = mc.CACert()
	...

Choraden avatar Apr 28 '25 07:04 Choraden

I added reporting mitm cert expiration as a part of this PR

budziam avatar Apr 28 '25 14:04 budziam