diff options
Diffstat (limited to '')
| -rw-r--r-- | src/go/collectors/go.d.plugin/modules/x509check/integrations/x.509_certificate.md | 225 |
1 files changed, 225 insertions, 0 deletions
diff --git a/src/go/collectors/go.d.plugin/modules/x509check/integrations/x.509_certificate.md b/src/go/collectors/go.d.plugin/modules/x509check/integrations/x.509_certificate.md new file mode 100644 index 000000000..0815e85db --- /dev/null +++ b/src/go/collectors/go.d.plugin/modules/x509check/integrations/x.509_certificate.md @@ -0,0 +1,225 @@ +<!--startmeta +custom_edit_url: "https://github.com/netdata/netdata/edit/master/src/go/collectors/go.d.plugin/modules/x509check/README.md" +meta_yaml: "https://github.com/netdata/netdata/edit/master/src/go/collectors/go.d.plugin/modules/x509check/metadata.yaml" +sidebar_label: "X.509 certificate" +learn_status: "Published" +learn_rel_path: "Collecting Metrics/Synthetic Checks" +most_popular: False +message: "DO NOT EDIT THIS FILE DIRECTLY, IT IS GENERATED BY THE COLLECTOR'S metadata.yaml FILE" +endmeta--> + +# X.509 certificate + + +<img src="https://netdata.cloud/img/lock.svg" width="150"/> + + +Plugin: go.d.plugin +Module: x509check + +<img src="https://img.shields.io/badge/maintained%20by-Netdata-%2300ab44" /> + +## Overview + + + +This collectors monitors x509 certificates expiration time and revocation status. + + +This collector is supported on all platforms. + +This collector supports collecting metrics from multiple instances of this integration, including remote instances. + + +### Default Behavior + +#### Auto-Detection + +This integration doesn't support auto-detection. + +#### Limits + +The default configuration for this integration does not impose any limits on data collection. + +#### Performance Impact + +The default configuration for this integration is not expected to impose a significant performance impact on the system. + + +## Metrics + +Metrics grouped by *scope*. + +The scope defines the instance that the metric belongs to. An instance is uniquely identified by a set of labels. + + + +### Per source + +These metrics refer to the configured source. + +Labels: + +| Label | Description | +|:-----------|:----------------| +| source | Configured source. | + +Metrics: + +| Metric | Dimensions | Unit | +|:------|:----------|:----| +| x509check.time_until_expiration | expiry | seconds | +| x509check.revocation_status | revoked | boolean | + + + +## Alerts + + +The following alerts are available: + +| Alert name | On metric | Description | +|:------------|:----------|:------------| +| [ x509check_days_until_expiration ](https://github.com/netdata/netdata/blob/master/src/health/health.d/x509check.conf) | x509check.time_until_expiration | time until x509 certificate expires | +| [ x509check_revocation_status ](https://github.com/netdata/netdata/blob/master/src/health/health.d/x509check.conf) | x509check.revocation_status | x509 certificate revocation status (0: revoked, 1: valid) | + + +## Setup + +### Prerequisites + +No action required. + +### Configuration + +#### File + +The configuration file name for this integration is `go.d/x509check.conf`. + + +You can edit the configuration file using the `edit-config` script from the +Netdata [config directory](https://github.com/netdata/netdata/blob/master/docs/netdata-agent/configuration.md#the-netdata-config-directory). + +```bash +cd /etc/netdata 2>/dev/null || cd /opt/netdata/etc/netdata +sudo ./edit-config go.d/x509check.conf +``` +#### Options + +The following options can be defined globally: update_every, autodetection_retry. + + +<details><summary>Config options</summary> + +| Name | Description | Default | Required | +|:----|:-----------|:-------|:--------:| +| update_every | Data collection frequency. | 1 | no | +| autodetection_retry | Recheck interval in seconds. Zero means no recheck will be scheduled. | 0 | no | +| source | Certificate source. Allowed schemes: https, tcp, tcp4, tcp6, udp, udp4, udp6, file. | | no | +| days_until_expiration_warning | Number of days before the alarm status is warning. | 30 | no | +| days_until_expiration_critical | Number of days before the alarm status is critical. | 15 | no | +| check_revocation_status | Whether to check the revocation status of the certificate. | no | no | +| timeout | SSL connection timeout. | 2 | no | +| tls_skip_verify | Server certificate chain and hostname validation policy. Controls whether the client performs this check. | no | no | +| tls_ca | Certification authority that the client uses when verifying the server's certificates. | | no | +| tls_cert | Client TLS certificate. | | no | +| tls_key | Client TLS key. | | no | + +</details> + +#### Examples + +##### Website certificate + +Website certificate. + +<details><summary>Config</summary> + +```yaml +jobs: + - name: my_site_cert + source: https://my_site.org:443 + +``` +</details> + +##### Local file certificate + +Local file certificate. + +<details><summary>Config</summary> + +```yaml +jobs: + - name: my_file_cert + source: file:///home/me/cert.pem + +``` +</details> + +##### SMTP certificate + +SMTP certificate. + +<details><summary>Config</summary> + +```yaml +jobs: + - name: my_smtp_cert + source: smtp://smtp.my_mail.org:587 + +``` +</details> + +##### Multi-instance + +> **Note**: When you define more than one job, their names must be unique. + +Check the expiration status of the multiple websites' certificates. + + +<details><summary>Config</summary> + +```yaml +jobs: + - name: my_site_cert1 + source: https://my_site1.org:443 + + - name: my_site_cert2 + source: https://my_site1.org:443 + + - name: my_site_cert3 + source: https://my_site3.org:443 + +``` +</details> + + + +## Troubleshooting + +### Debug Mode + +To troubleshoot issues with the `x509check` collector, run the `go.d.plugin` with the debug option enabled. The output +should give you clues as to why the collector isn't working. + +- Navigate to the `plugins.d` directory, usually at `/usr/libexec/netdata/plugins.d/`. If that's not the case on + your system, open `netdata.conf` and look for the `plugins` setting under `[directories]`. + + ```bash + cd /usr/libexec/netdata/plugins.d/ + ``` + +- Switch to the `netdata` user. + + ```bash + sudo -u netdata -s + ``` + +- Run the `go.d.plugin` to debug the collector: + + ```bash + ./go.d.plugin -d -m x509check + ``` + + |