Daniel Swarbrick

icon indicating a website link https://salsa.debian.org/dswarbrick icon indicating an email [email protected]

icon location Berlin, Germany icon location SRE on sabbatical. Cisco / Juniper network engineer in a former life. Postgres DBA when current life gets a bit too exciting. Debian developer on the side.

Results 298 comments of Daniel Swarbrick

TestGRPCConnection unit test fails

@averzicco Disregard the skipped tests; they were previously patched out due to older grpc build-deps in Debian, unable to support `grpc.WithTransportCredentials(insecure.NewCredentials()))` in the grpc prober code. That has now been...

TestGRPCConnection unit test fails

Putting aside the goroutine panic for a moment, I found out why the _other_ type of test failure occurs, e.g. ``` --- FAIL: TestGRPCConnection (0.00s) grpc_test.go:73: GRPC probe failed ---...

TestGRPCConnection unit test fails

I tracked the strange failure of Go's (and Python's) inability to resolve "localhost" to "::1" on Ubuntu to the lack of an entry for it in /etc/hosts. It seems that...

Cannot find a way to have an alarm on expired certificates

I am not able to reproduce this. With `insecure_skip_verify: true`, a probe against https://expired.badssl.com returns: ``` # HELP probe_dns_lookup_time_seconds Returns the time taken for probe dns lookup in seconds #...

Cannot find a way to have an alarm on expired certificates

`insecure_skip_verify` will have negligible effect on a target that has well-maintained and up to date certificate chain (such as google.com), so cases 3 & 4 are obvious and to be...

Cannot find a way to have an alarm on expired certificates

Incidentally, the `probe_ssl_last_chain_expiry_timestamp_seconds` metric will be meaningless on probes with `insecure_skip_verify: true`, since it is derived from the [tls.ConnectionState](https://pkg.go.dev/crypto/tls#ConnectionState) slice of `VerifiedChains`, which is empty if `Config.InsecureSkipVerify` is true. In...

Cannot find a way to have an alarm on expired certificates

To detect a certificate expiring **_soon_**, it does not matter what `insecure_skip_verify` is set to. Setting `insecure_skip_verify: true` is only necessary when probing a target whose certificate has **_already_** expired,...

Cannot find a way to have an alarm on expired certificates

> I know, but having insecure_skip_verify: true is useless because once set to true there is no way to tell the difference between a certificate expired or not and this...

Cannot find a way to have an alarm on expired certificates

The crux is that you really need to alert for (and resolve) expiring certificates _before_ they expire. Once they have expired, `probe_success` will be zero, and if you are probing...

Add serial label to probe_ssl_last_chain_info metric

Certificate serial numbers are not necessarily unique. Certificates with different subjects could potentially have the same serial number.