The Nightmare Called “Your connection is not private”
Most of us have probably experienced that feeling: waking up to a phone ringing off the hook with calls from the boss. Customers are complaining that the website is inaccessible. Browsers are displaying that dreaded bright red message: “Your connection is not private.” All your SEO efforts and advertising budget go down the drain just because of an expired SSL certificate.
When I first started out, I managed about 20 websites using a “divine” Excel file. Every once in a while, I’d open it to check expiry dates and handle renewals. One day, I completely forgot about a subdomain running a payment API. The result? The system was paralyzed for 4 hours, the drop-off rate spiked by 30%, and I was immediately called into the boss’s office for a “serious talk.”
That incident taught me a valuable lesson: human memory is the least reliable thing in system operations. To solve this once and for all, I switched to using Prometheus combined with Blackbox Exporter. This system acts as a 24/7 sentry on your behalf.
Three Common SSL Management Styles: Where Do You Stand?
In reality, IT professionals usually fall into one of three groups when it comes to managing system deadlines:
1. The Manual Group (Excel, Google Calendar)
- Pros: No server resources required; anyone can do it.
- Cons: Extremely easy to miss things when the number of domains reaches dozens. It’s not real-time. If someone switches providers and forgets to update the Excel file, it’s game over.
2. The Scripting Group (Bash/Python) running Cronjobs
- Pros: Good automation; can send Telegram messages.
- Cons: Difficult to manage centrally. Scripts can fail silently without anyone knowing. Storing history to draw stability (uptime) charts is also quite cumbersome.
3. The Modern Monitoring Group (Prometheus & Blackbox Exporter)
- Pros: Centralized management on a visual Grafana Dashboard. Multi-channel alerts via Slack, Telegram, or PagerDuty. External check mechanisms accurately simulate real user experiences.
- Cons: Takes a bit of time for the initial setup.
Why is Blackbox Exporter the Optimal Choice?
If your server already has Prometheus monitoring CPU/RAM, integrating Blackbox Exporter takes exactly 5 minutes.
Its operation is quite straightforward. Blackbox Exporter acts as a “virtual user.” It sends HTTP/HTTPS requests to the website and parses the data returned from the SSL certificate. You will know the exact expiry date and issuing organization without having to run manual commands.
Real-world experience: Instead of SSHing into each server to run openssl x509 -enddate, I now just glance at the dashboard. Any domain expiring within the next 30 days automatically jumps to the top of the priority list.
Quick Deployment Guide
Step 1: Install Blackbox Exporter with Docker
Using Docker is the fastest way to keep your environment clean. First, create the configuration file:
mkdir -p /etc/blackbox_exporter
vi /etc/blackbox_exporter/blackbox.yml
Content of the blackbox.yml file:
modules:
http_2xx:
prober: http
timeout: 5s
http:
valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
method: GET
fail_if_not_ssl: true # SSL is required for the check to pass
Launch the container:
docker run -d \
--name blackbox_exporter \
-p 9115:9115 \
-v /etc/blackbox_exporter:/config \
prom/blackbox-exporter:latest \
--config.file=/config/blackbox.yml
Step 2: Configure Prometheus to Scrape Data
Next, point Prometheus toward the Blackbox Exporter. Add the following block to prometheus.yml:
scrape_configs:
- job_name: 'ssl_expiry'
metrics_path: /probe
params:
module: [http_2xx]
static_configs:
- targets:
- https://itfromzero.com
- https://google.com
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: 127.0.0.1:9115 # Blackbox Exporter IP
After restarting, check the metric probe_ssl_earliest_cert_expiry. If you see a sequence of timestamps appearing, congratulations, you have successfully retrieved the data.
Step 3: Set Up the Alertmanager “Alarm”
Don’t just stare at charts; let Alertmanager do the work. Create an ssl_rules.yml file:
groups:
- name: ssl_expiry_rules
rules:
- alert: SSLCertExpiringSoon
expr: (probe_ssl_earliest_cert_expiry - time()) / 86400 < 15
for: 1h
labels:
severity: warning
annotations:
summary: "SSL expiring soon: {{ $labels.instance }}"
description: "SSL certificate will expire in less than 15 days. Time to renew!"
Here, I use the number 86400 (seconds in a day) to convert the timestamp into a readable number of days. A 15-day alert threshold is the “golden window” to handle payments and renewals.
Step 4: Don’t Forget Domain Expiry
Blackbox Exporter only monitors SSL. For domain expiry dates from WHOIS, you should also use domain_exporter (such as the version by caarlos0). It works similarly but will help you avoid the shock of losing your domain to “squatters” because you forgot to pay the registrar.
Conclusion
Letting an SSL certificate or domain name expire is a very basic mistake, but the price is often very high. With the duo of Prometheus and Blackbox Exporter, you don’t just solve the problem of forgetting renewals. You also monitor response times (latency) and hidden HTTP error codes deep within your system.
Don’t wait until the website goes down to scramble for a fix. Spend 30 minutes setting this up today so you can sleep soundly without worrying about the boss calling. Good luck with your implementation!
