feat: cert-checker #220

New issue

Open

opened 2026-03-28 04:22:27 +00:00 by mfreeman451 · 0 comments

mfreeman451 commented

2026-03-28 04:22:27 +00:00

Owner

Imported from GitHub.

Original GitHub issue: #607
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/issues/607
Original created: 2025-04-14T13:45:19Z

Monitors SSL/TLS certificates on services (e.g., HTTPS endpoints, gRPC servers) by connecting, retrieving certificates, and checking expiry dates. Reports days until expiry and alerts if nearing expiration (e.g., <30 days).

Value Proposition:

Unique Niche: Ensures certificate health, critical for mTLS-heavy ServiceRadar (tls-security.md) and external services (e.g., APIs, web servers). No overlap with sysmon, rperf, snmp, or dusk.
Lightweight: One TLS handshake every 5m produces 100 bytes (e.g., days_left: 90). Fits SQLite’s ~24 GB/day (0.05 MB/day/host).
Proxmox Fit: Monitors certificates for services on Proxmox (e.g., containerized APIs) or ServiceRadar’s own mTLS certs (/etc/serviceradar/certs).
Security: Uses mTLS for gRPC and validates endpoint certs, aligning with tls-security.md.
Proactive: Prevents outages from expired certs, a common issue in air-gapped networks.

Implementation:

Logic: Use crypto/tls to connect and get Certificate.NotAfter. Calculate days until expiry.
Data: Store in timeseries_metrics:

INSERT INTO timeseries_metrics (poller_id, name, value, type, timestamp, metadata)
VALUES ('host1', 'cert_api', 90.0, 'cert', '2025-04-14T12:00:00Z', '{"subject": "CN=api.exampl

Config (/etc/serviceradar/checkers/cert.json):

{
  "listen_addr": ":50086",
  "security": {
    "mode": "mtls",
    "cert_dir": "/etc/serviceradar/certs",
    "role": "checker",
    "tls": {
      "cert_file": "cert-checker.pem",
      "key_file": "cert-checker-key.pem",
      "ca_file": "root.pem"
    }
  },
  "targets": [
    {
      "name": "api-cert",
      "endpoint": "https://api.example.com:443",
      "poll_interval": "5m",
      "timeout": "5s",
      "warn_days": 30
    }
  ]
}

Poller:

{
  "agents": {
    "local-agent": {
      "checks": [
        {
          "service_type": "cert",
          "service_name": "api-cert",
          "details": "{\"endpoint\": \"https://api.example.com:443\", \"warn_days\": 30}"
        }
      ]
    }
  }
}

Storage: Add processCertMetrics to core/server.go, storing expiry days and subject.

Imported from GitHub. Original GitHub issue: #607 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/issues/607 Original created: 2025-04-14T13:45:19Z --- Monitors SSL/TLS certificates on services (e.g., HTTPS endpoints, gRPC servers) by connecting, retrieving certificates, and checking expiry dates. Reports days until expiry and alerts if nearing expiration (e.g., <30 days). # Value Proposition: * Unique Niche: Ensures certificate health, critical for mTLS-heavy ServiceRadar (tls-security.md) and external services (e.g., APIs, web servers). No overlap with sysmon, rperf, snmp, or dusk. * Lightweight: One TLS handshake every 5m produces 100 bytes (e.g., days_left: 90). Fits SQLite’s ~24 GB/day (0.05 MB/day/host). * Proxmox Fit: Monitors certificates for services on Proxmox (e.g., containerized APIs) or ServiceRadar’s own mTLS certs (/etc/serviceradar/certs). * Security: Uses mTLS for gRPC and validates endpoint certs, aligning with tls-security.md. * Proactive: Prevents outages from expired certs, a common issue in air-gapped networks. # Implementation: * Logic: Use crypto/tls to connect and get Certificate.NotAfter. Calculate days until expiry. * Data: Store in timeseries_metrics: ```sql INSERT INTO timeseries_metrics (poller_id, name, value, type, timestamp, metadata) VALUES ('host1', 'cert_api', 90.0, 'cert', '2025-04-14T12:00:00Z', '{"subject": "CN=api.exampl ``` **Config (/etc/serviceradar/checkers/cert.json):** ```json { "listen_addr": ":50086", "security": { "mode": "mtls", "cert_dir": "/etc/serviceradar/certs", "role": "checker", "tls": { "cert_file": "cert-checker.pem", "key_file": "cert-checker-key.pem", "ca_file": "root.pem" } }, "targets": [ { "name": "api-cert", "endpoint": "https://api.example.com:443", "poll_interval": "5m", "timeout": "5s", "warn_days": 30 } ] } ``` **Poller:** ```json { "agents": { "local-agent": { "checks": [ { "service_type": "cert", "service_name": "api-cert", "details": "{\"endpoint\": \"https://api.example.com:443\", \"warn_days\": 30}" } ] } } } ``` **Storage:** Add processCertMetrics to core/server.go, storing expiry days and subject.