ssl证书到期监控

一、环境

1、数据采集:

Exporter:blackbox_exporter

Version:0.22.0

Exporter 下载:https://prometheus.io/download/#blackbox_exporter

2、数据存储:

Aplica:Prometheus

Version:2.37.0

3、数据展示:

Aplica:Grafana

Version:9.0.3

Dashboards:https://grafana.com/grafana/dashboards/

Dashboard ID(SSL 证书监控):13230

二、部署 Exporter

2.1 配置 blackbox_exporter

1、下载 blackbox_exporter 并上传至服务器

2、解压 blackbox_exporter

tar xzf blackbox_exporter-0.22.0.linux-amd64.tar.gz -C /home/data/prometheus/exporters/
cd /home/data/prometheus/exporters/
mv blackbox_exporter-0.22.0.linux-amd64 blackbox_exporter

3、修改配置文件

blackbox_exporter 以模块的方式工作,如果你仅仅是获取 SSL 证书过期时间,那部署在任意节点即可。

cd /home/data/prometheus/exporters/blackbox_exporter
vim blackbox.yml  # 启用http_2xx模块

modules:
  http_2xx:
    prober: http
    timeout: 30s
    http:
      valid_http_versions: ["HTTP/1.1", "HTTP/2"]
      valid_status_codes: [200]
      method: GET
      preferred_ip_protocol: "ip4"

4、配置 systemd 管理

vim /usr/lib/systemd/system/blackbox_exporter.service
[Unit]
Description=blackbox_exporter
After=network.target

[Service]
User=prometheus
Group=prometheus
WorkingDirectory=/home/data/prometheus/exporters/blackbox_exporter
ExecStart=/home/data/prometheus/exporters/blackbox_exporter/blackbox_exporter

[Install]
WantedBy=multi-user.target

5、启动 blackbox_exporter

systemctl daemon-reload
systemctl start blackbox_exporter.service
systemctl enable blackbox_exporter.service
systemctl status blackbox_exporter.service

2.2 配置 Prometheus

1、修改配置文件

vim /home/data/prometheus/etc/prometheus.yml

...
...
  - job_name: 'blackbox_http_2xx'
    metrics_path: /probe
    params:
      module: [http_2xx]
    static_configs:
      - targets:
        - <https://blog.rabcnops.cn>
        - <https://www.baidu.com>
        ...
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 192.168.56.141:9115
...
...

2、重启Prometheus

systemctl restart prometheus

2.3 Grafana 监控面板

1、导入模板:13230

image-20230903195907530

三、规则报警

1、编写告警规则

vim /home/data/prometheus/rules/ssl_cert_alerts.yml

groups:
- name: "SSL证书过期提醒"
  rules:
  - alert: "证书过期时间<30天"
    expr: probe_ssl_earliest_cert_expiry{job="SSL证书时间"} - time() < 86400 * 30
    for: 0s
    labels:
      severity: "提示"
    annotations:
      summary: "{{ $labels.instance }} SSL 证书将在30天后过期,请注意及时续费!"
      description: "{{ $labels.instance }} SSL 证书将在30天后过期,请注意及时续费!"
  - alert: "证书过期时间<7天"
    expr: probe_ssl_earliest_cert_expiry{job="SSL证书时间"} - time() < 86400 * 7
    for: 0s
    labels:
      severity: "告警"
    annotations:
      summary: "{{ $labels.instance }} SSL 证书将在7天后过期,请注意及时续费!"
      description: "{{ $labels.instance }} SSL 证书将在7天后过期,请注意及时续费!"
  - alert: "证书过期时间<1天"
    expr: probe_ssl_earliest_cert_expiry{job="SSL证书时间"} - time() < 86400 * 1
    for: 0s
    labels:
      severity: "灾难"
    annotations:
      summary: "{{ $labels.instance }} SSL 证书将在1天后过期,请注意及时续费!"
      description: "{{ $labels.instance }} SSL 证书将在1天后过期,请注意及时续费!"

然后重启 Prometheus

2、配置 Alertmanager

这里使用了prometheusalter作为统一消息推送

git: https://github.com/feiyu563/PrometheusAlert