CertAlert is a dynamic monitoring tool designed to extract the expiration dates of local SSL/TLS certificates stored in PEM, PKCS12, P7, TrustStore and Java Keystore formats. It then exposes these expiration dates as epoch-formatted metrics, enabling Prometheus to easily scrape and alert on certificate expiry.
Real-time Monitoring: Automatically scans the expiration dates of certificates upon each /metrics endpoint request by Prometheus.
Flexible Export: Supports exporting metrics directly to a Pushgateway server or outputs them in JSON, YAML, or text table formats.
certalert_certificate_epoch_seconds: This metric represents the expiration date of each SSL/TLS certificate, expressed in epoch format.
certalert_certificate_extraction_status: This metric signifies the status of the certificate extraction process. A value of 0 indicates successful extraction, while a value of 1 signifies a failure. In the case of a failure, the reason label will provide additional details on the issue encountered.
The primary function is to utilize the serve command to initiate a web server that exposes metrics for Prometheus to retrieve.
-c, --config: Sets the path to the configuration file (Default:$HOME/.certalert.yaml).-v, --verbose: Activates verbose output for detailed logging. Can also be set as environment variableCERTALERT_VERBOSE.-s, --silent: Enables silent mode, displaying only errors. Can also be set as environment variableCERTALERT_SILENT.-f, --fail-on-error: Exitscertalertimmediately upon encountering an error.-V, --version: Print the current version and exit.
-
serve: Launches a web server to expose certificate metrics.
certalert serve [flags]
Flags:
--listen-address: The address to listen on for HTTP requests. (Default::8080).--auto-reload-config: Detects config changes and reloads the configuration file.
Examples:
# Launch the web server on localhost:8080. certalert serve --listen-address localhost:8080 -
print: Prints information about the certificates.
certalert print [CERTIFICATE_NAME...] [flags]
Flags:
-A, --all: Prints all certificates.-o, --output: Specify the output format. Supported formats:text,json,yaml.
Examples:
# Print all certificates in JSON format. certalert print --all --output json # Print a specific certificate named 'example-cert' in the default format. certalert print example-cert
-
push: Push certificate expiration as an epoch to a Prometheus Pushgateway instance.
certalert push [CERTIFICATE_NAME...] [flags]
Flags:
-A, --all: Push all certificates.-i, --insecure-skip-verify: Skip TLS certificate verification.
Examples:
# Push metadata for all certificates. certalert push --all # Push metadata for a specific certificate named 'example-cert'. certalert push example-cert
Certificates can be defined with properties such as their name, path, type, and an optional password. You have the flexibility to enable or disable specific certificate checks with the field enabled. Additionally, the type of certificate can either be manually defined or determined by the system based on the file extension.
Credentials, such as password, can be specified in multiple ways: plain text, an environment variable, or a file containing the credentials. For files with multiple key-value pairs, a specific key can be chosen by appending //KEY at the end of the file path. See Providing Credentials for more details.
The program can interact with a Pushgateway server, for which the address and job label can be defined. It also provides two authentication methods - Basic and Bearer. For Basic authentication, a username and password are required. For Bearer authentication, a token is required.
Just like the certificate password, these credentials can also be provided as plain text, from an environment variable, or from a file. See Providing Credentials for more details.
The certificates must be configured in a file. The config file can be yaml, json or toml. The config file should be loaded automatically if changed. Please check the log output to control if the automatic config reload works in your environment. You can disable the automatic reload by adding the flag --auto-reload-config=false.
The endpont /-/reload also reloads the configuration.
Below are the available properties for the Pushgateway and its nested types:
-
pushgateway
- address: The URL of the Pushgateway server. *
- job: The job label to be attached to pushed metrics. *
- insecureSkipVerify Skip TLS certificate verification. Defaults to
false. - auth: This nested structure holds the authentication details needed for the Pushgateway server. It supports two types of authentication:
BasicandBearer.
-
auth
- basic: This nested structure holds the basic authentication details.
- username: Username used for basic authentication. *
- password: Password used for basic authentication. *
- bearer: This nested structure holds the bearer authentication details.
- token: Bearer token used for bearer authentication. *
- basic: This nested structure holds the basic authentication details.
Please ensure each property is correctly configured to prevent any unexpected behaviors. Remember to provide necessary authentication details under the Auth structure based on the type of authentication your Pushgateway server uses.
*Can be provided as plain text, from an environment variable, or from a file. See Providing Credentials for more details.
Here are the available properties for the certificate:
- name: This refers to the unique identifier of the certificate. It's used for distinguishing between different certificates. If not provided, it defaults to the certificate's filename, replacing all spaces (
.) and underlines (_) with a dash (-). - enabled: This toggle enables or disables this check. By default, it is set to
true. - path: This specifies the location of the certificate file in your system.
- type: This denotes the type of the certificate. If it's not explicitly specified, the system will attempt to determine the type based on the file extension. Allowed types are:
p12,pkcs12,pfx,pem,crt,jks,p7,p7b,p7c,truststoreorts. - password: This optional property allows you to set the password for the certificate.
Credentials such as passwords or tokens can be provided in one of the following formats:
-
Plain Text: Simply input the credentials directly in plain text.
-
Environment Variable: Use the
env:prefix, followed by the name of the environment variable that stores the credentials. -
File: Use the
file:prefix, followed by the path of the file that contains the credentials. The file should contain only the credentials.In case the file contains multiple key-value pairs, the specific key for the credentials can be selected by appending
//KEYto the end of the path. Each key-value pair in the file must follow thekey = valueformat. The system will use the value corresponding to the specified//KEY.
Make sure each credential property is correctly configured to prevent any unexpected behaviors.
---
pushgateway:
address: http://pushgateway.monitoring.svc.cluster.local:9091
insecureSkipVerify: false
job: certalert
certs:
- name: PEM - without_password
enabled: true
path: /certs/pem/without_password_certificate.pem
- name: PEM - chain
enabled: true
path: /certs/pem/chain_certificate.pem
password: file:/certs/pem/chain_certificate.password
- name: P12 - with_password
enabled: true
path: /certs/p12/with_password_certificate.p12
password: env:P12_PASSWORD
- name: P12 - chain
enabled: true
path: /certs/p12/chain_certificate.p12
password: file:/certs/certalert.passwords//p12_password
- name: jks - regular
enabled: true
path: /certs/jks/regular.jks
password: env:JKS_PASSWORD
- name: jks - chain
enabled: true
path: /certs/jks/chain.jks
password: file:/certs/certalert.passwords//jks_passwordCertAlert provides the following web-accessible endpoints:
| Endpoint | Purpose |
|---|---|
/ |
Shows the endpoints |
/certificates |
Fetches and displays all the certificates in a tabular format |
/-/reload |
Reloads the configuration |
/config |
Provides the currently active configuration file. Plaintext passwords are redacted |
/metrics |
Delivers metrics for Prometheus to scrape |
/healthz |
Returns the health of the application |
The certificate format is inferred from its file extension. However, you can override this automatic detection by specifying the type field.
With CertAlert, the focus is exclusively on extracting certificates. Should there be additional components, they will be skipped.
Recognized file extensions:
.jks
Check if the file is really a Java Keystore:
keytool -list -v -keystore CERT.jks -storepass PASSWORDIf the Keystore type is PKCS12, you have to set the type to p12.
Recognized file extensions:
.ts.truststore
Recognized file extensions:
.p7.p7b.p7c
Using the specified password, certalert retrieves both private keys and certificates from P12 files. Incorrect password inputs lead to failures.
Recognized file extensions:
.p12.pkcs12.pfx
Recognized file extensions:
.pem.crt