blackbox_exporter icon indicating copy to clipboard operation
blackbox_exporter copied to clipboard
verified publisher icon prometheus

Feature request: Add PEM encoded certificate data to debug output

Open skywalkr opened this issue 2 years ago • 1 comments

Can we add certificate data to debug output for probes that do a TLS handshake? Currently, I have to have a separate process running to gather ssl certificate details from the same endpoints being scraped via blackbox-exporter. This separate process requires duplicative configuration as to how to connect and begin the handshake (i.e. implicit TLS for SMTP). It would be real nice if I could collect the metrics, logs, and cert data all in one go.

An example use case would be gathering prerequisite information and validating endpoint\module configuration before adding an instance to a job. If you have a CMDB you could:

  1. Scrape the instance immediately to confirm connectivity and module configuration
  2. Create any certificates returned in the debug scrape as a ci for tracking, renewal, etc
  3. Relate the certificate to the endpoints that use it (this relationship is typically to the server so the specific service(s) that use the cert is unknown without further investigation).
  4. Create an in-depth strategy to certificate management where you know exactly which servers and services will be impacted and when.

Logs for the probe: ts=2022-02-17T09:46:31.403831228Z caller=main.go:320 module=http_2xx target=https://site.local level=info msg="Beginning probe" probe=http timeout_seconds=5 ts=2022-02-17T09:46:31.403959629Z caller=http.go:335 module=http_2xx target=https://site.local level=info msg="Resolving target address" ip_protocol=ip4 .. ..

Remote certificates for the probe: -----BEGIN CERTIFICATE----- MIIOOjCCDSKgAwIBAgIQJ9KJmIxSa5AJuFRjBYK8BjANBgkqhkiG9w0BAQsFADBGMQswCQYDVQQG EwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzETMBEGA1UEAxMKR1RTIENB .. .. -----END CERTIFICATE-----

Metrics that would have been returned: # HELP probe_failed_due_to_regex Indicates if probe failed due to regex # TYPE probe_failed_due_to_regex gauge probe_failed_due_to_regex 0 '' ''

skywalkr avatar Jul 30 '23 17:07 skywalkr

To clarify, the certificate dump is useful when you want to collect additional details not available in probe_ssl_last_chain_info.

skywalkr avatar Jul 30 '23 18:07 skywalkr