Skip to main content

X.509 certificate

Plugin: go.d.plugin Module: x509check

Overview

This collectors monitors x509 certificates expiration time and revocation status.

This collector is supported on all platforms.

This collector supports collecting metrics from multiple instances of this integration, including remote instances.

Default Behavior

Auto-Detection

This integration doesn't support auto-detection.

Limits

The default configuration for this integration does not impose any limits on data collection.

Performance Impact

The default configuration for this integration is not expected to impose a significant performance impact on the system.

Metrics

Metrics grouped by scope.

The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.

Per source

These metrics refer to the configured source.

Labels:

LabelDescription
sourceConfigured source.

Metrics:

MetricDimensionsUnit
x509check.time_until_expirationexpiryseconds
x509check.revocation_statusrevokedboolean

Alerts

The following alerts are available:

Alert nameOn metricDescription
x509check_days_until_expiration x509check.time_until_expirationtime until x509 certificate expires
x509check_revocation_status x509check.revocation_statusx509 certificate revocation status (0: revoked, 1: valid)

Setup

Prerequisites

No action required.

Configuration

File

The configuration file name for this integration is go.d/x509check.conf.

You can edit the configuration file using the edit-config script from the Netdata config directory.

cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/x509check.conf

Options

The following options can be defined globally: update_every, autodetection_retry.

Config options
NameDescriptionDefaultRequired
update_everyData collection frequency.1no
autodetection_retryRecheck interval in seconds. Zero means no recheck will be scheduled.0no
sourceCertificate source. Allowed schemes: https, tcp, tcp4, tcp6, udp, udp4, udp6, file.no
days_until_expiration_warningNumber of days before the alarm status is warning.30no
days_until_expiration_criticalNumber of days before the alarm status is critical.15no
check_revocation_statusWhether to check the revocation status of the certificate.nono
timeoutSSL connection timeout.2no
tls_skip_verifyServer certificate chain and hostname validation policy. Controls whether the client performs this check.nono
tls_caCertification authority that the client uses when verifying the server's certificates.no
tls_certClient TLS certificate.no
tls_keyClient TLS key.no

Examples

Website certificate

Website certificate.

Config
jobs:
- name: my_site_cert
source: https://my_site.org:443

Local file certificate

Local file certificate.

Config
jobs:
- name: my_file_cert
source: file:///home/me/cert.pem

SMTP certificate

SMTP certificate.

Config
jobs:
- name: my_smtp_cert
source: smtp://smtp.my_mail.org:587

Multi-instance

Note: When you define more than one job, their names must be unique.

Check the expiration status of the multiple websites' certificates.

Config
jobs:
- name: my_site_cert1
source: https://my_site1.org:443

- name: my_site_cert2
source: https://my_site1.org:443

- name: my_site_cert3
source: https://my_site3.org:443

Troubleshooting

Debug Mode

To troubleshoot issues with the x509check collector, run the go.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn't working.

  • Navigate to the plugins.d directory, usually at /usr/libexec/netdata/plugins.d/. If that's not the case on your system, open netdata.conf and look for the plugins setting under [directories].

    cd /usr/libexec/netdata/plugins.d/
  • Switch to the netdata user.

    sudo -u netdata -s
  • Run the go.d.plugin to debug the collector:

    ./go.d.plugin -d -m x509check

Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.