cert

Reference for the `cert` collector.

cert · collector · run nanook doc cert for the same content in your terminal.

Reads the TLS leaf certificate from a host and reports expiry signals.

Options

Option	Type	Default	Description
`host`	string	required	target hostname or IP
`port`	string	`443`	target port
`server_name`	string	—	SNI override (defaults to `host` when it parses as a DNS name)
`timeout`	string	`10s`	dial + handshake timeout (e.g. `5s`)

Metric	Kind	Unit	Description
`cert.handshake_ok`	bool	—	true if the TLS handshake completed. Labels: `addr`.
`cert.days_until_expiry`	numeric	—	days remaining before the leaf cert `not_after`. Negative once expired. Labels: `addr`.
`cert.not_after`	numeric	`seconds`	leaf cert `not_after` as seconds since the unix epoch. Labels: `addr`.
`cert.not_before`	numeric	`seconds`	leaf cert `not_before` as seconds since the unix epoch. Labels: `addr`.
`cert.valid`	bool	—	true when current time is within [`not_before`, `not_after`]. Labels: `addr`.

[[collectors]]
name = "api-cert"
kind = "cert"
interval = 3600
[collectors.opts]
host = "api.example.com"
port = 443
timeout = "10s"

[[alerts]]
expr = "api-cert::cert.days_until_expiry < 14"
count = 1
channel = "ops"
escalate = { after = 86400, channel = "oncall" }

[[alerts]]
expr = 'api-cert::cert.handshake_ok is "false"'
count = 3
channel = "ops"

[collectors.opts]
host = "10.0.0.42"
port = 443
server_name = "api.example.com"