When Good Certificates Go Bad: Monitoring for Expired TLS Certificates
Transport Layer Security (TLS) is crucial for secure internet transactions. Mux developed an open-source certificate-expiry-monitor tool that uses Kubernetes API to discover servers using TLS certificates and emits Prometheus metrics with expiration times for installed certificates on each server. This helps in alerting when certificates are not being renewed automatically, preventing service unavailability due to expired certificates. The certificate-expiry-monitor tool was built in Go and can be configured with key options such as polling interval, Kubernetes namespace, labels, and domains to monitor. It generates Prometheus metrics for each pod + domain combination, indicating the time-to-expiry, time-since-issued, and certificate status. The tool has been integrated into Mux's infrastructure with a Grafana dashboard for monitoring and Prometheus alerting rules for warning when certificates are nearing expiry or have expired.
Company
Mux
Date published
May 16, 2019
Author(s)
Scott Kidder
Word count
992
Language
English
Hacker News points
None found.