promscripts/x509/expiry/README.md

X.509 Certificate Expiry Metrics

This script simply retrieves a X.509 certificate from a given host and port using OpenSSL and returns the number of seconds from the current time until it expires (is no longer valid).

This script produces the following metrics:

• x509_expire_seconds with the number of seconds until the certificate reaches its "not after" date, where a value of 0 means that it will expire the next second;
• x509_expire_success holding 1 if OpenSSL succeeded retrieving and parsing the certificate, otherwise 0; and
• x509_expire_scrape_duration_seconds containing the number of seconds that it took to produce x509_expire_seconds.

How To Use

Provide the intended host and port number. Note that there is no parameter for SNI, since I didn't need it.

# Generate metrics
$ ./metrics HOST PORT > expiry.$$

# Atomic move to avoid Prometheus reading incomplete writes
$ mv expiry.$$ expiry.prom

Warning: This script assumes trusted inputs and does not escape the hostname in label value output.