Monitoring TLS certificate expiry

This is a short follow-up article to the NAS TLS certificate replacement one I wrote a few months back. Since then I have set up monitoring of the TLS certificates I’ve deployed.

My initial idea was to build some custom tool which would fetch the certificates, inspect them and output the expiry date (or the numbers of days left until that date). And although that would have been fun, I also didn’t get around to it for some time. Meanwhile more certificates were about to expire…

I already had Grafana running for another dashboard and I have some experience with Prometheus. So using the Blackbox exporter to solve the data collection part was—in hindsight—an obvious solution for my problem. Importing a community built dashboard in Grafana was the next logical step.

Screenshot of my Grafana dashboard displaying Blackbox exporter data

This gives me just about everything I need and a bit more. I peek at this dashboard every once in a while and thus far have been able to replace certificates before they expire.