Plugin: go.d.plugin Module: x509check
This collectors monitors x509 certificates expiration time and revocation status.
This collector is supported on all platforms.
This collector supports collecting metrics from multiple instances of this integration, including remote instances.
This integration doesn’t support auto-detection.
The default configuration for this integration does not impose any limits on data collection.
The default configuration for this integration is not expected to impose a significant performance impact on the system.
No action required.
The configuration file name for this integration is go.d/x509check.conf
.
You can edit the configuration file using the edit-config
script from the
Netdata config directory.
cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
sudo ./edit-config go.d/x509check.conf
The following options can be defined globally: update_every, autodetection_retry.
Name | Description | Default | Required |
---|---|---|---|
update_every | Data collection frequency. | 1 | no |
autodetection_retry | Recheck interval in seconds. Zero means no recheck will be scheduled. | 0 | no |
source | Certificate source. Allowed schemes: https, tcp, tcp4, tcp6, udp, udp4, udp6, file, smtp. | no | |
check_full_chain | Monitor expiration time for all certificates in the SSL/TLS chain, including intermediate and root certificates. | no | no |
check_revocation_status | Whether to check the revocation status of the certificate. | no | no |
timeout | SSL connection timeout. | 2 | no |
tls_skip_verify | Server certificate chain and hostname validation policy. Controls whether the client performs this check. | no | no |
tls_ca | Certification authority that the client uses when verifying the server’s certificates. | no | |
tls_cert | Client TLS certificate. | no | |
tls_key | Client TLS key. | no |
Website certificate.
jobs:
- name: my_site_cert
source: https://my_site.org:443
Local file certificate.
jobs:
- name: my_file_cert
source: file:///home/me/cert.pem
SMTP certificate.
jobs:
- name: my_smtp_cert
source: smtp://smtp.my_mail.org:587
Note: When you define more than one job, their names must be unique.
Check the expiration status of the multiple websites' certificates.
jobs:
- name: my_site_cert1
source: https://my_site1.org:443
- name: my_site_cert2
source: https://my_site1.org:443
- name: my_site_cert3
source: https://my_site3.org:443
Metrics grouped by scope.
The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
These metrics refer to the SSL certificate.
Labels:
Label | Description |
---|---|
source | Same as the “source” configuration option. |
common_name | The common name (CN) extracted from the certificate. |
depth | The depth of the certificate within the certificate chain. The leaf certificate has a depth of 0, and subsequent certificates (intermediate certificates) have increasing depth values. The root certificate is at the highest depth. |
Metrics:
Metric | Dimensions | Unit |
---|---|---|
x509check.time_until_expiration | expiry | seconds |
x509check.revocation_status | not_revoked, revoked | boolean |
The following alerts are available:
Alert name | On metric | Description |
---|---|---|
x509check_days_until_expiration | x509check.time_until_expiration | SSL cert expiring soon (${label:source} cn:${label:common_name}) |
x509check_revocation_status | x509check.revocation_status | SSL cert revoked (${label:source}) |
Important: Debug mode is not supported for data collection jobs created via the UI using the Dyncfg feature.
To troubleshoot issues with the x509check
collector, run the go.d.plugin
with the debug option enabled. The output
should give you clues as to why the collector isn’t working.
Navigate to the plugins.d
directory, usually at /usr/libexec/netdata/plugins.d/
. If that’s not the case on
your system, open netdata.conf
and look for the plugins
setting under [directories]
.
cd /usr/libexec/netdata/plugins.d/
Switch to the netdata
user.
sudo -u netdata -s
Run the go.d.plugin
to debug the collector:
./go.d.plugin -d -m x509check
If you’re encountering problems with the x509check
collector, follow these steps to retrieve logs and identify potential issues:
Use the following command to view logs generated since the last Netdata service restart:
journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show --value --property=InvocationID netdata)" --namespace=netdata --grep x509check
Locate the collector log file, typically at /var/log/netdata/collector.log
, and use grep
to filter for collector’s name:
grep x509check /var/log/netdata/collector.log
Note: This method shows logs from all restarts. Focus on the latest entries for troubleshooting current issues.
If your Netdata runs in a Docker container named “netdata” (replace if different), use this command:
docker logs netdata 2>&1 | grep x509check
Want a personalised demo of Netdata for your use case?