BlackboxSslCertificateWillExpireSoon #

SSL certificate expires in less than 20 days

alert: BlackboxSslCertificateWillExpireSoon
annotations:
  description: |-
    SSL certificate expires in less than 20 days
      VALUE = {{ $value }}
      LABELS = {{ $labels }}    
  runbook: https://srerun.github.io/prometheus-alerts/runbooks/blackbox-exporter/blackboxsslcertificatewillexpiresoon/
  summary: Blackbox SSL certificate will expire soon (instance {{ $labels.instance
    }})
expr: 3 <= round((last_over_time(probe_ssl_earliest_cert_expiry[10m]) - time()) /
  86400, 0.1) < 20
for: 0m
labels:
  severity: warning

alert: BlackboxSslCertificateWillExpireSoon
annotations:
  description: |-
    SSL certificate expires in less than 3 days
      VALUE = {{ $value }}
      LABELS = {{ $labels }}    
  runbook: https://srerun.github.io/prometheus-alerts/runbooks/blackbox-exporter/blackboxsslcertificatewillexpiresoon/
  summary: Blackbox SSL certificate will expire soon (instance {{ $labels.instance
    }})
expr: 0 <= round((last_over_time(probe_ssl_earliest_cert_expiry[10m]) - time()) /
  86400, 0.1) < 3
for: 0m
labels:
  severity: critical

Meaning #

The BlackboxSslCertificateWillExpireSoon alert is triggered when the SSL certificate of a monitored service is about to expire within the next 20 days. This alert is generated by the Blackbox Exporter, which is a Prometheus probe that checks the SSL certificate expiration date of a target service.

Impact #

If the SSL certificate expires, it can lead to:

• Disruption of secure communication with the service
• Errors and warnings in client applications
• Potential security risks due to the use of an expired certificate
• Downtime and revenue loss for critical services

Diagnosis #

To diagnose the issue, follow these steps:

1. Identify the affected service: Check the instance label in the alert to determine which service is affected.
2. Verify the certificate expiration date: Use the Blackbox Exporter or other SSL auditing tools to verify the expiration date of the SSL certificate.
3. Check certificate renewal process: Review the certificate renewal process to ensure it is functioning correctly.

Mitigation #

To mitigate the issue, follow these steps:

1. Renew the SSL certificate: Obtain a new SSL certificate from a trusted certificate authority and install it on the affected service.
2. Update the certificate configuration: Update the service configuration to use the new SSL certificate.
3. Verify the certificate: Use the Blackbox Exporter or other SSL auditing tools to verify that the new certificate is correctly installed and configured.
4. Update the certificate renewal process: Review and update the certificate renewal process to prevent similar issues in the future.

Additional resources:

• Blackbox Exporter documentation
• SSL certificate renewal process (replace with your organization’s process)