ssl证书到期监控
ssl证书到期监控
一、环境
1、数据采集:
Exporter:blackbox_exporter
Version:0.22.0
Exporter 下载:https://prometheus.io/download/#blackbox_exporter
2、数据存储:
Aplica:Prometheus
Version:2.37.0
3、数据展示:
Aplica:Grafana
Version:9.0.3
Dashboards:https://grafana.com/grafana/dashboards/
Dashboard ID(SSL 证书监控):13230
二、部署 Exporter
2.1 配置 blackbox_exporter
1、下载 blackbox_exporter 并上传至服务器
2、解压 blackbox_exporter
tar xzf blackbox_exporter-0.22.0.linux-amd64.tar.gz -C /home/data/prometheus/exporters/
cd /home/data/prometheus/exporters/
mv blackbox_exporter-0.22.0.linux-amd64 blackbox_exporter
3、修改配置文件
blackbox_exporter 以模块的方式工作,如果你仅仅是获取 SSL 证书过期时间,那部署在任意节点即可。
cd /home/data/prometheus/exporters/blackbox_exporter
vim blackbox.yml # 启用http_2xx模块
modules:
http_2xx:
prober: http
timeout: 30s
http:
valid_http_versions: ["HTTP/1.1", "HTTP/2"]
valid_status_codes: [200]
method: GET
preferred_ip_protocol: "ip4"
4、配置 systemd 管理
vim /usr/lib/systemd/system/blackbox_exporter.service
[Unit]
Description=blackbox_exporter
After=network.target
[Service]
User=prometheus
Group=prometheus
WorkingDirectory=/home/data/prometheus/exporters/blackbox_exporter
ExecStart=/home/data/prometheus/exporters/blackbox_exporter/blackbox_exporter
[Install]
WantedBy=multi-user.target
5、启动 blackbox_exporter
systemctl daemon-reload
systemctl start blackbox_exporter.service
systemctl enable blackbox_exporter.service
systemctl status blackbox_exporter.service
2.2 配置 Prometheus
1、修改配置文件
vim /home/data/prometheus/etc/prometheus.yml
...
...
- job_name: 'blackbox_http_2xx'
metrics_path: /probe
params:
module: [http_2xx]
static_configs:
- targets:
- <https://blog.rabcnops.cn>
- <https://www.baidu.com>
...
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 192.168.56.141:9115
...
...
2、重启Prometheus
systemctl restart prometheus
2.3 Grafana 监控面板
1、导入模板:13230
三、规则报警
1、编写告警规则
vim /home/data/prometheus/rules/ssl_cert_alerts.yml
groups:
- name: "SSL证书过期提醒"
rules:
- alert: "证书过期时间<30天"
expr: probe_ssl_earliest_cert_expiry{job="SSL证书时间"} - time() < 86400 * 30
for: 0s
labels:
severity: "提示"
annotations:
summary: "{{ $labels.instance }} SSL 证书将在30天后过期,请注意及时续费!"
description: "{{ $labels.instance }} SSL 证书将在30天后过期,请注意及时续费!"
- alert: "证书过期时间<7天"
expr: probe_ssl_earliest_cert_expiry{job="SSL证书时间"} - time() < 86400 * 7
for: 0s
labels:
severity: "告警"
annotations:
summary: "{{ $labels.instance }} SSL 证书将在7天后过期,请注意及时续费!"
description: "{{ $labels.instance }} SSL 证书将在7天后过期,请注意及时续费!"
- alert: "证书过期时间<1天"
expr: probe_ssl_earliest_cert_expiry{job="SSL证书时间"} - time() < 86400 * 1
for: 0s
labels:
severity: "灾难"
annotations:
summary: "{{ $labels.instance }} SSL 证书将在1天后过期,请注意及时续费!"
description: "{{ $labels.instance }} SSL 证书将在1天后过期,请注意及时续费!"
然后重启 Prometheus
2、配置 Alertmanager
这里使用了prometheusalter作为统一消息推送
git: https://github.com/feiyu563/PrometheusAlert
评论
隐私政策
你无需删除空行,直接评论以获取最佳展示效果