blackbox_exporter
blackbox_exporter copied to clipboard
prometheus
Add hostname parameter support to tcp prober
Host operating system: output of uname -a
FreeBSD prom.xxx 13.1-RELEASE-p3 FreeBSD 13.1-RELEASE-p3 GENERIC amd64
blackbox_exporter version: output of blackbox_exporter --version
blackbox_exporter, version (branch: , revision: )
build user:
build date:
go version: go1.19.2
platform: freebsd/amd64
Installed as FreeBSD port:
blackbox_exporter-0.22.0_3 Name : blackbox_exporter Version : 0.22.0_3
What is the blackbox.yml module config.
modules:
ssl:
prober: tcp
timeout: 5s
tcp:
tls: true
What is the prometheus.yml scrape config.
- job_name: ldaps
metrics_path: /probe
params:
module:
- ssl
relabel_configs:
- source_labels:
- __address__
target_label: __param_target
- source_labels:
- __param_target
target_label: instance
- replacement: 127.0.0.1:9115
target_label: __address__
static_configs:
- labels:
node: dc1
targets:
- domain.example.org:636
- labels:
node: dc2
targets:
- domain.example.org:636
What logging output did you get from adding &debug=true to the probe URL?
# HELP probe_dns_lookup_time_seconds Returns the time taken for probe dns lookup in seconds
# TYPE probe_dns_lookup_time_seconds gauge
probe_dns_lookup_time_seconds 0.000542186
# HELP probe_duration_seconds Returns how long the probe took to complete in seconds
# TYPE probe_duration_seconds gauge
probe_duration_seconds 0.0070028
# HELP probe_failed_due_to_regex Indicates if probe failed due to regex
# TYPE probe_failed_due_to_regex gauge
probe_failed_due_to_regex 0
# HELP probe_ip_addr_hash Specifies the hash of IP address. It's useful to detect if the IP address changes.
# TYPE probe_ip_addr_hash gauge
probe_ip_addr_hash 2.550694076e+09
# HELP probe_ip_protocol Specifies whether probe ip protocol is IP4 or IP6
# TYPE probe_ip_protocol gauge
probe_ip_protocol 6
# HELP probe_ssl_earliest_cert_expiry Returns earliest SSL cert expiry date
# TYPE probe_ssl_earliest_cert_expiry gauge
probe_ssl_earliest_cert_expiry 1.693942767e+09
# HELP probe_ssl_last_chain_expiry_timestamp_seconds Returns last SSL chain expiry in unixtime
# TYPE probe_ssl_last_chain_expiry_timestamp_seconds gauge
probe_ssl_last_chain_expiry_timestamp_seconds 1.693942767e+09
# HELP probe_ssl_last_chain_info Contains SSL leaf certificate information
# TYPE probe_ssl_last_chain_info gauge
probe_ssl_last_chain_info{fingerprint_sha256="0d4f1e92596770d32e8233a2e9da5fd242f933cffa421b46ccd8ecefde933431"} 1
# HELP probe_success Displays whether or not the probe was a success
# TYPE probe_success gauge
probe_success 1
# HELP probe_tls_version_info Returns the TLS version used, or NaN when unknown
# TYPE probe_tls_version_info gauge
probe_tls_version_info{version="TLS 1.2"} 1
Problem to solve
Each domain controller has its own certificate for Kerberos and ldaps. I need to check each domain controller independently.
The problem is the DNS name: all domain controller have the same DNS name "domain.example.org". Each controller has its own certificate, but they all share the same name for easy AD failover.
Thus, both target hosts (dc1 and dc2) have the same probe URL:
http://prom.xxxx:9115/probe?module=ssl&target=domain.example.org%3A636&debug=true"
So, testing "domain.example.org" means testing an arbitrary domain controller. What I need is to specify the domain controller by IP address.
The http probe supports an additional parameter "hostname", so you can specify
- target: IP-Address:Port
- hostname: DNS name (SAN in certificate)
But the tcp probe doesn't support "hostname"!
Specifying only
- target: IP-Address:Port
always fails, as the certificate of the domain server has no IP address in its SAN. I tried to add IP to the DC certificate that, but the Windows CA does not provide an automatism for that.
Request
Please support "hostname" as a parameter of the tcp prober.
checkout https://github.com/prometheus/blackbox_exporter/pull/981, we have build artifacts from this PR that you can use and test #981 in your env.
