Detect revoked certificates

xoxys · January 31, 2022, 10:35am

Hi,

Let’s Encrypt has revoked some certificates on Friday last week Questions about Renewing before TLS-ALPN-01 Revocations - Help - Let's Encrypt Community Support

Due to this revocation, I was wondering if there is a way to monitor such events with a telegraf input plugin. Right now I use x509_cert input, but that does not give any indicator if a cert was revoked. Any idea how this scenario can be covered?

xoxys · January 31, 2022, 1:51pm

Maybe something like this could be added to the x509_cert input

github.com

ribbybibby/ssl_exporter/blob/83f01274fcd87044b269326a81c3d6b3c49de9da/prober/metrics.go#L167-L232


      
          func collectOCSPMetrics(ocspResponse []byte, registry *prometheus.Registry) error {
          	var (
          		ocspStapled = prometheus.NewGauge(
          			prometheus.GaugeOpts{
          				Name: prometheus.BuildFQName(namespace, "", "ocsp_response_stapled"),
          				Help: "If the connection state contains a stapled OCSP response",
          			},
          		)
          		ocspStatus = prometheus.NewGauge(
          			prometheus.GaugeOpts{
          				Name: prometheus.BuildFQName(namespace, "", "ocsp_response_status"),
          				Help: "The status in the OCSP response 0=Good 1=Revoked 2=Unknown",
          			},
          		)
          		ocspProducedAt = prometheus.NewGauge(
          			prometheus.GaugeOpts{
          				Name: prometheus.BuildFQName(namespace, "", "ocsp_response_produced_at"),
          				Help: "The producedAt value in the OCSP response, expressed as a Unix Epoch Time",
          			},
          		)

This file has been truncated. show original

Giovanni_Luisotto · January 31, 2022, 2:06pm

I don’t know this input plugin, but if you got ideas about how to improve it, I encourage you to open a feature request (or even better the PR) on the Telegraf Github repo.

I think Github is generally better suited for this kind of technical talk.

xoxys · January 31, 2022, 2:11pm

As a cross-reference [inputs.x509_cert] detect revoked certificates · Issue #10550 · influxdata/telegraf · GitHub

Topic		Replies	Views
Revoking client certificates in telegraf (influxdb_listener) Telegraf telegraf , security	1	839	October 22, 2021
Error in X509 certificate checking Telegraf	6	1302	June 9, 2023
Telegraf: monitoring SSL certificate telegraf	6	1247	June 18, 2021
Telegraf 1.13.0-rc3 Now Available Telegraf telegraf , release-notes	2	1071	December 11, 2019
Missing metrics when proxying them to output.prometheus_client telegraf	5	1760	May 7, 2021

Detect revoked certificates

Related topics