Unable to scrape Postgres cert metrics using Blackbox exporter

487 views
Skip to first unread message

Athira Manohar

unread,
Jun 21, 2021, 11:12:50 AM6/21/21
to Prometheus Users
Hi Team,

I am not able to get postgres certificate expiry details using blackbox exporter as it throws error even after successful connectivity. Please suggest the a way to capture postgress certificate expiry details into prometheus.

What is the blackbox.yml module config.
modules: tls_connect: prober: tcp timeout: 60s tcp: preferred_ip_protocol: "ip4" ip_protocol_fallback: false query_response: - expect: "OK.*STARTTLS" - send: ". STARTTLS" - expect: "OK" - starttls: true - send: ". capability" - expect: "CAPABILITY IMAP4rev1" tls: true tls_config: insecure_skip_verify: true ldap: prober: tcp timeout: 5s tcp: preferred_ip_protocol: "ip4" query_response: - send: !!binary "MCICAQFgHQIBAwQIbm90YXVzZXKADm5vdHRoZXBhc3N3b3Jk" - expect: !!binary "MAwCAQFhBw==" postgres: prober: tcp tcp: query_response: - send: !!binary AAAACATSFi8= - starttls: true


What is the prometheus.yml scrape config.
- job_name: postgres-blackbox honor_timestamps: true scrape_interval: 5m scrape_timeout: 5m metrics_path: /probe params: module: [tcp_connect] ##also tried with modules ldap and postgres kubernetes_sd_configs: - api_server: null role: service namespaces: names: [] relabel_configs: - source_labels: [__meta_kubernetes_namespace] target_label: kubernetes_namespace - source_labels: [__meta_kubernetes_service_name] target_label: kubernetes_name - source_labels: [__address__] target_label: __param_target - source_labels: [__param_target] target_label: instance - target_label: __address__ replacement: prometheus-blackbox-exporter.do-prom-athira.svc.cluster.local:9115

What logging output did you get from adding &debug=true to the probe URL?What did you do that produced an error?What did you expect to see?


# HELP probe_ssl_earliest_cert_expiry Returns earliest SSL cert expiry date # TYPE probe_ssl_earliest_cert_expiry gauge probe_ssl_earliest_cert_expiry 1.655444464e+09 # HELP probe_ssl_last_chain_expiry_timestamp_seconds Returns last SSL chain expiry in unixtime # TYPE probe_ssl_last_chain_expiry_timestamp_seconds gauge probe_ssl_last_chain_expiry_timestamp_seconds -6.21355968e+10 # HELP probe_ssl_last_chain_info Contains SSL leaf certificate information # TYPE probe_ssl_last_chain_info gauge

What did you see instead?

Logs for the probe: ts=2021-06-18T11:49:24.361029282Z caller=main.go:304 module=tls_connect target=blackblock-hippo-svc.do-blackbox-postgres.svc:8009 level=info msg="Beginning probe" probe=tcp timeout_seconds=60 ts=2021-06-18T11:49:24.361147413Z caller=tcp.go:41 module=tls_connect target=blackblock-hippo-svc.do-blackbox-postgres.svc:8009 level=info msg="Resolving target address" ip_protocol=ip4 ts=2021-06-18T11:49:24.364193802Z caller=tcp.go:41 module=tls_connect target=blackblock-hippo-svc.do-blackbox-postgres.svc:8009 level=info msg="Resolved target address" ip=240.224.66.208 ts=2021-06-18T11:49:24.364219851Z caller=tcp.go:122 module=tls_connect target=blackblock-hippo-svc.do-blackbox-postgres.svc:8009 level=info msg="Dialing TCP with TLS" ts=2021-06-18T11:49:24.366345309Z caller=main.go:119 module=tls_connect target=blackblock-hippo-svc.do-blackbox-postgres.svc:8009 level=error msg="Error dialing TCP" err="tls: first record does not look like a TLS handshake" ts=2021-06-18T11:49:24.366385816Z caller=main.go:304 module=tls_connect target=blackblock-hippo-svc.do-blackbox-postgres.svc:8009 level=error msg="Probe failed" duration_seconds=0.00527054

Thanks
Athira

Matt Palmer

unread,
Jun 21, 2021, 4:49:23 PM6/21/21
to Prometheus Users
On Mon, Jun 21, 2021 at 08:12:50AM -0700, 'Athira Manohar' via Prometheus Users wrote:
> I am not able to get postgres certificate expiry details using blackbox
> exporter as it throws error even after successful connectivity. Please
> suggest the a way to capture postgress certificate expiry details into
> prometheus.

This can't be done with the blackbox exporter, because it is inherently
designed for line-based protocols, and Postgres does not use a like-based
protocol. See https://github.com/prometheus/blackbox_exporter/issues/295
for more details of an equivalent situation.

- Matt

Athira Manohar

unread,
Jun 22, 2021, 2:40:27 AM6/22/21
to Prometheus Users
Hi Matt,

Thanks for the response. So can you please suggest if there is any prometheus supported exporter to scrape certificate expiry metrics from postgres?

Reply all
Reply to author
Forward
0 new messages