Skip to main content

x509 certificate collector

This module checks the time until a x509 certificate expiration and its revocation status.

Metrics

All metrics have "x509." prefix.

Labels per scope:

  • global: source.
MetricScopeDimensionsUnits
time_until_expirationglobalexpiryseconds
revocation_statusglobalrevokedboolean

Configuration

Edit the go.d/x509check.conf configuration file using edit-config from the Netdata config directory, which is typically at /etc/netdata.

cd /etc/netdata # Replace this path with your Netdata config directory
sudo ./edit-config go.d/x509check.conf

Needs only source.

Use smtp scheme for smtp servers, file for files and https or tcp for others. Port is mandatory for all non-file schemes.

Here is an example for 3 sources:

update_every: 60

jobs:
- name: my_site_cert
source: https://my_site.org:443

- name: my_file_cert
source: file:///home/me/cert.pem

- name: my_smtp_cert
source: smtp://smtp.my_mail.org:587

For all available options and defaults please see module configuration file.

Revocation status

Revocation status check is disabled by default. To enable it set check_revocation_status to yes.

jobs:
- name: my_site_cert
source: https://my_site.org:443
check_revocation_status: yes

Troubleshooting

To troubleshoot issues with the x509check collector, run the go.d.plugin with the debug option enabled. The output should give you clues as to why the collector isn't working.

  • Navigate to the plugins.d directory, usually at /usr/libexec/netdata/plugins.d/. If that's not the case on your system, open netdata.conf and look for the plugins setting under [directories].

    cd /usr/libexec/netdata/plugins.d/
  • Switch to the netdata user.

    sudo -u netdata -s
  • Run the go.d.plugin to debug the collector:

    ./go.d.plugin -d -m x509check

Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.