github.com/netdata/go.d.plugin@v0.58.1/modules/x509check/integrations/x.509_certificate.md

github.com/netdata/go.d.plugin@v0.58.1/modules/x509check/integrations/x.509_certificate.md (about)

     1  <!--startmeta
     2  custom_edit_url: "https://github.com/netdata/go.d.plugin/edit/master/modules/x509check/README.md"
     3  meta_yaml: "https://github.com/netdata/go.d.plugin/edit/master/modules/x509check/metadata.yaml"
     4  sidebar_label: "X.509 certificate"
     5  learn_status: "Published"
     6  learn_rel_path: "Data Collection/Synthetic Checks"
     7  most_popular: False
     8  message: "DO NOT EDIT THIS FILE DIRECTLY, IT IS GENERATED BY THE COLLECTOR'S metadata.yaml FILE"
     9  endmeta-->
    10  
    11  # X.509 certificate
    12  
    13  
    14  <img src="https://netdata.cloud/img/lock.svg" width="150"/>
    15  
    16  
    17  Plugin: go.d.plugin
    18  Module: x509check
    19  
    20  <img src="https://img.shields.io/badge/maintained%20by-Netdata-%2300ab44" />
    21  
    22  ## Overview
    23  
    24  
    25  
    26  This collectors monitors x509 certificates expiration time and revocation status.
    27  
    28  
    29  This collector is supported on all platforms.
    30  
    31  This collector supports collecting metrics from multiple instances of this integration, including remote instances.
    32  
    33  
    34  ### Default Behavior
    35  
    36  #### Auto-Detection
    37  
    38  This integration doesn't support auto-detection.
    39  
    40  #### Limits
    41  
    42  The default configuration for this integration does not impose any limits on data collection.
    43  
    44  #### Performance Impact
    45  
    46  The default configuration for this integration is not expected to impose a significant performance impact on the system.
    47  
    48  
    49  ## Metrics
    50  
    51  Metrics grouped by *scope*.
    52  
    53  The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels.
    54  
    55  
    56  
    57  ### Per source
    58  
    59  These metrics refer to the configured source.
    60  
    61  Labels:
    62  
    63  | Label      | Description     |
    64  |:-----------|:----------------|
    65  | source | Configured source. |
    66  
    67  Metrics:
    68  
    69  | Metric | Dimensions | Unit |
    70  |:------|:----------|:----|
    71  | x509check.time_until_expiration | expiry | seconds |
    72  | x509check.revocation_status | revoked | boolean |
    73  
    74  
    75  
    76  ## Alerts
    77  
    78  
    79  The following alerts are available:
    80  
    81  | Alert name  | On metric | Description |
    82  |:------------|:----------|:------------|
    83  | [ x509check_days_until_expiration ](https://github.com/netdata/netdata/blob/master/health/health.d/x509check.conf) | x509check.time_until_expiration | time until x509 certificate expires |
    84  | [ x509check_revocation_status ](https://github.com/netdata/netdata/blob/master/health/health.d/x509check.conf) | x509check.revocation_status | x509 certificate revocation status (0: revoked, 1: valid) |
    85  
    86  
    87  ## Setup
    88  
    89  ### Prerequisites
    90  
    91  No action required.
    92  
    93  ### Configuration
    94  
    95  #### File
    96  
    97  The configuration file name for this integration is `go.d/x509check.conf`.
    98  
    99  
   100  You can edit the configuration file using the `edit-config` script from the
   101  Netdata [config directory](https://github.com/netdata/netdata/blob/master/docs/configure/nodes.md#the-netdata-config-directory).
   102  
   103  ```bash
   104  cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata
   105  sudo ./edit-config go.d/x509check.conf
   106  ```
   107  #### Options
   108  
   109  The following options can be defined globally: update_every, autodetection_retry.
   110  
   111  
   112  <details><summary>Config options</summary>
   113  
   114  | Name | Description | Default | Required |
   115  |:----|:-----------|:-------|:--------:|
   116  | update_every | Data collection frequency. | 1 | no |
   117  | autodetection_retry | Recheck interval in seconds. Zero means no recheck will be scheduled. | 0 | no |
   118  | source | Certificate source. Allowed schemes: https, tcp, tcp4, tcp6, udp, udp4, udp6, file. |  | no |
   119  | days_until_expiration_warning | Number of days before the alarm status is warning. | 30 | no |
   120  | days_until_expiration_critical | Number of days before the alarm status is critical. | 15 | no |
   121  | check_revocation_status | Whether to check the revocation status of the certificate. | no | no |
   122  | timeout | SSL connection timeout. | 2 | no |
   123  | tls_skip_verify | Server certificate chain and hostname validation policy. Controls whether the client performs this check. | no | no |
   124  | tls_ca | Certification authority that the client uses when verifying the server's certificates. |  | no |
   125  | tls_cert | Client TLS certificate. |  | no |
   126  | tls_key | Client TLS key. |  | no |
   127  
   128  </details>
   129  
   130  #### Examples
   131  
   132  ##### Website certificate
   133  
   134  Website certificate.
   135  
   136  <details><summary>Config</summary>
   137  
   138  ```yaml
   139  jobs:
   140    - name: my_site_cert
   141      source: https://my_site.org:443
   142  
   143  ```
   144  </details>
   145  
   146  ##### Local file certificate
   147  
   148  Local file certificate.
   149  
   150  <details><summary>Config</summary>
   151  
   152  ```yaml
   153  jobs:
   154    - name: my_file_cert
   155      source: file:///home/me/cert.pem
   156  
   157  ```
   158  </details>
   159  
   160  ##### SMTP certificate
   161  
   162  SMTP certificate.
   163  
   164  <details><summary>Config</summary>
   165  
   166  ```yaml
   167  jobs:
   168    - name: my_smtp_cert
   169      source: smtp://smtp.my_mail.org:587
   170  
   171  ```
   172  </details>
   173  
   174  ##### Multi-instance
   175  
   176  > **Note**: When you define more than one job, their names must be unique.
   177  
   178  Check the expiration status of the multiple websites' certificates.
   179  
   180  
   181  <details><summary>Config</summary>
   182  
   183  ```yaml
   184  jobs:
   185    - name: my_site_cert1
   186      source: https://my_site1.org:443
   187  
   188    - name: my_site_cert2
   189      source: https://my_site1.org:443
   190  
   191    - name: my_site_cert3
   192      source: https://my_site3.org:443
   193  
   194  ```
   195  </details>
   196  
   197  
   198  
   199  ## Troubleshooting
   200  
   201  ### Debug Mode
   202  
   203  To troubleshoot issues with the `x509check` collector, run the `go.d.plugin` with the debug option enabled. The output
   204  should give you clues as to why the collector isn't working.
   205  
   206  - Navigate to the `plugins.d` directory, usually at `/usr/libexec/netdata/plugins.d/`. If that's not the case on
   207    your system, open `netdata.conf` and look for the `plugins` setting under `[directories]`.
   208  
   209    ```bash
   210    cd /usr/libexec/netdata/plugins.d/
   211    ```
   212  
   213  - Switch to the `netdata` user.
   214  
   215    ```bash
   216    sudo -u netdata -s
   217    ```
   218  
   219  - Run the `go.d.plugin` to debug the collector:
   220  
   221    ```bash
   222    ./go.d.plugin -d -m x509check
   223    ```
   224  
   225