Skip to main content

x509 certificate monitoring with Netdata

This module checks the time until a x509 certificate expiration and its revocation status.

Charts#

It produces the following charts:

  • Time Until Certificate Expiration in seconds
  • Revocation Status in status

Configuration#

Edit the go.d/x509check.conf configuration file using edit-config from the Netdata config directory, which is typically at /etc/netdata.

cd /etc/netdata # Replace this path with your Netdata config directory
sudo ./edit-config go.d/x509check.conf

Needs only source.

Use smtp scheme for smtp servers, file for files and https or tcp for others. Port is mandatory for all non-file schemes.

Here is an example for 3 sources:

update_every: 60
jobs:
- name: my_site_cert
source: https://my_site.org:443
- name: my_file_cert
source: file:///home/me/cert.pem
- name: my_smtp_cert
source: smtp://smtp.my_mail.org:587

For all available options and defaults please see module configuration file.

Revocation status#

Revocation status check is disabled by default. To enable it set check_revocation_status to yes.

jobs:
- name: my_site_cert
source: https://my_site.org:443
check_revocation_status: yes

Troubleshooting#

To troubleshoot issues with the x509check collector, run the go.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn't working.

First, navigate to your plugins directory, usually at /usr/libexec/netdata/plugins.d/. If that's not the case on your system, open netdata.conf and look for the setting plugins directory. Once you're in the plugin's directory, switch to the netdata user.

cd /usr/libexec/netdata/plugins.d/
sudo -u netdata -s

You can now run the go.d.plugin to debug the collector:

./go.d.plugin -d -m x509check

Reach out

If you need help after reading this doc, search our community forum for an answer. There's a good chance someone else has already found a solution to the same issue.

Documentation

Community

Last updated on