/plushcap/analysis/mux/mux-when-good-certificates-go-bad-monitoring-for-expired-tls-certificates

When Good Certificates Go Bad: Monitoring for Expired TLS Certificates

What's this blog post about?

Transport Layer Security (TLS) is crucial for secure internet transactions. Mux developed an open-source certificate-expiry-monitor tool that uses Kubernetes API to discover servers using TLS certificates and emits Prometheus metrics with expiration times for installed certificates on each server. This helps in alerting when certificates are not being renewed automatically, preventing service unavailability due to expired certificates. The certificate-expiry-monitor tool was built in Go and can be configured with key options such as polling interval, Kubernetes namespace, labels, and domains to monitor. It generates Prometheus metrics for each pod + domain combination, indicating the time-to-expiry, time-since-issued, and certificate status. The tool has been integrated into Mux's infrastructure with a Grafana dashboard for monitoring and Prometheus alerting rules for warning when certificates are nearing expiry or have expired.

Company
Mux

Date published
May 16, 2019

Author(s)
Scott Kidder

Word count
992

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.