Hi

I was trying to monitor the java keystores using the node-cert-keystore but it doesn't do so. It may require password to be passed to view the certificate.
I saw a package called keystore.go in the pkg.dev.go. Is it possible to integrate this code into your code and compile it to make a new binary?

Kindly can you let us know

• This feature/enhancement benefits everyone

Is it possible to have this parse the certificates stored inside kubernetes secrets, similar to what https://github.com/lmolas/kubectl-view-cert does?
We'd like to get alerts close to the certificates expiration date.
Thanks for the great work!

• This feature/enhancement benefits everyone
  Yes

Description
Currently this exporter supports only .pem/.cert/.cer/.crt . Can you update the exporter to support .pfx format as well.
Also in Readme file, it good if you can add the steps to build this code. It helps in updating the code locally and contribute

Additional information

• This feature/enhancement benefits everyone
  Yes

Description
Thanks for your effort in creating this. I have been actively using this in our company to monitor different certs.

One major difficulty I faced in filtering the certs based on different environment.
We have around 15 environments(Both Production & Internal). It is very difficult to filter the certs based on environments in Grafana. currently we are monitoring 150+ certs across multiple environments.

Is there a way to pass the labels(environment name ) along with path while executing the node-cert-exporter. so that it will be easy in grafana to filter/create a separate table for each environment. It will be good if you can add this has optional parameter.

Additional information

I am running this cert explorer in openshift 3.11 .

I am able to extract certificate details if I am running this app as root container. But I am unable to extract the certificate details if I am running it as non root e.g with hostaccess SCC.

Please advise the way to run it as non-root container using sufficient linux capabilities to read certificate files.

Hi guys,

First thx for that nice exporter it makes my Cert monitoring much easier.

One think, is it possible make it able to read cer and cert format.

Even i see in the code :
extensions = []string{".pem", ".crt", ".cert", ".cer", ".pfx"}

But i get always output error :
glog.Warningf("Couldn't find a CERTIFICATE block in %s", path)

As a workaround i convert cer and cert certificates to pem

Thx guys.

Why has version 1.0.1 been removed, is it voluntary to override the previous release ?
Next release will remove the old one?

We use flux cd helm operator, and it doesn't like when a helm chart disappear from the source repository.

Refer to this commit : 9c516c1

Description
The binary is generating many warnings about attempting to write headers after the body of a request has been written when serving metrics to Prometheus' scrapers.

http: superfluous response.WriteHeader call from github.com/prometheus/client_golang/prometheus/promhttp.(*responseWriterDelegator).WriteHeader (delegator.go:59)
http: superfluous response.WriteHeader call from github.com/prometheus/client_golang/prometheus/promhttp.(*responseWriterDelegator).WriteHeader (delegator.go:59)
http: superfluous response.WriteHeader call from github.com/prometheus/client_golang/prometheus/promhttp.(*responseWriterDelegator).WriteHeader (delegator.go:59)

Steps to reproduce the issue:

1. Download latest (as of this writing, 1.1.4) linux-amd64 binary
2. Run it
3. Watch the logs

Describe the results you received:
Service logs (I'm running it as a daemon through SystemD) are full of warnings.

Describe the results you expected:
No warnings about headers being written after the body.

Additional information:
This issue has been fixed upstream back in early 2020 at prometheus/client_golang@586178b, subsequently released in https://github.com/prometheus/client_golang/releases/tag/v1.5.1

I believe the version you currently have pinned in go.mod is too old.

Output of node-cert-exporter --version:

Version: v1.1.4
Commit: 7c8e3f8df55a710984280e5893d278b90262303f
Branch: HEAD
GoVersion: 1.20.4

Additional environment details:
Ubuntu Focal, amd64 arch, AWS instance.

We would need a new release since the last release was almost one and half year ago and new features/fixes have landed after that.

Any plans ?

• This feature/enhancement benefits everyone

Description
Currently the exporter walks through all the contents of the path(s) provided, and then skips all paths under the --exclude-path.

func (e *Exporter) Scrape(ch chan<- prometheus.Metric) {
	for _, root := range e.roots {
		exPaths := e.exRoots
		paths := []string{}
		err := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {
			for _, exPath := range exPaths {
				if strings.Contains(filepath.Dir(path), exPath) || path == exPath {
					return nil
				}
			}

This causes an issue in cases where the number of subfolders/files under the path is very high (i.e. k3s clusters under/var/lib/rancher/k3s/agent, which contains containerd folder). In that case the exporter just hangs, without any error, and the metrics are not reported.

It would be great if it skipped them from the search in the first place.

Description
Allow support of parameterised value for host path in the daemonset.yaml instead of assuming that the certificates are always under /etc.

https://github.com/amimof/node-cert-exporter/blob/master/charts/node-cert-exporter/templates/daemonset.yaml

Hi @amimof ,

If you have time, could you please add 1.0.0-beta4 tag, as we have hostname in metrics now and also a bugfix for a certificate version representation since 1.0.0-beta3.

Kind regards,
Sergei

• This feature/enhancement benefits everyone

(I guess not everyone would use this feature, so left it unticked. 🤷 )

Description

In some situations it would be useful or even required to use TLS for the traffic between prometheus and node-cert-exporter.
This feature request is for adding support for TLS to node-cert-exporter.
I imagine this would work similar to other applications that support TLS, by adding some flags like --tls, --tls-cert-file and --tls-key-file.

Additional information

My employer is interested in this feature and I would be willing to implement it if it is accepted.

Binary certificate with extension ".cer" is not read by node-cert-exporter and not shown in export or Grafana

run "/usr/local/bin/node-cert-exporter-linux-amd64 --path=/data/ssl/certs"

Expected resut : certificate shown in output

Would be good to have som logging when issues appear.

Version: 1.0.0
Commit: 437ae63
Branch: HEAD
GoVersion: 1.12

(paste your output here)

Centos 7

Description
Exporter fails to examine all certificates in a directory when there's a single file with wrong SELinux context set.

Steps to reproduce the issue:

1. Prepare a directory with some certificates.
2. Make sure that SELinux runs in enforcing mode
   setenforce 1
3. Change the context of one of the certificates
   chcon -t admin_home_t /etc/origin/test-bundle.crt
4. Run the exporter within a different context
   runcon -u system_u -r system_r -t container_t ./node-cert-exporter-linux-amd64 --path /etc/origin/
5. Query the exporter
6. There's no metrics for any of the certs in the directory.

Describe the results you received:
No metrics exposed.

Describe the results you expected:
Metrics exposed for all certificates barring the single cert (file) with wrong file permissions (SELinux context).

Additional information:

Output of node-cert-exporter --version:

Version: 1.0.0
Commit: 45a23445d365cb7f1db9e3e6d55666f759e1fc99
Branch: master
GoVersion: 1.15.2

Additional environment details:
Red Hat Enterprise Linux Server release 7.6

The docker image tag 1.0.1 does not correspond to changes advertised in release 1.0.1 (i.e. does not implement ssl_certificate_expiry_failed, which I am after).
Would it be possible to have a tag matching the release and the image to be able to pull by release tag, rather than latest?
I would like to be able to pin a specific release to avoid possible outages due to changes to the latest image.

Description
I am deploying this as daemonset in openshift cluster . DS is unable to create containers & failing with below errors in event logs

Error: failed to start container "node-cert-exporter": Error response from daemon: oci runtime error: container_linux.go:235: starting container process caused "exec: "--v=2": executable file not found in $PATH"

Steps to reproduce the issue:

1. used the daemonset file to deploy the node exporter

Describe the results you received:
Error: failed to start container "node-cert-exporter": Error response from daemon: oci runtime error: container_linux.go:235: starting container process caused "exec: "--v=2": executable file not found in $PATH"

Describe the results you expected:
no errors and containers should start successfully;

Additional information:

Output of node-cert-exporter --version:

(paste your output here)

Additional environment details:

• This feature/enhancement benefits everyone

Description
Hello, is there any chance we could get a container image for linux/arm64 added to the registry? I'm interested in using this project on AWS Graviton servers. I'd be happy to work on a PR if this is something you're willing to add.

Additional information
The existing Dockerfile works on arm64, so just CI needs to be updated.

If exporter can't open file it won't expose any data. For example folder with etcd crt file:

etcd.conf
ca.crt

Exporter error:
Error looking for certificates in /opt/etc/etcd/: lstat /opt/etc/etcd/etcd.conf: permission denied

Helm install errors for me now. The first two commands in the readme work fine:
helm repo add node-cert-exporter https://amimof.github.io/node-cert-exporter
helm repo update
Then the install command fails:

user@~/$ helm install node-cert-exporter node-cert-exporter/node-cert-exporter
Error: failed to download "node-cert-exporter/node-cert-exporter" (hint: running `helm repo update` may help)

Is this because the index.yaml file is still needed?

I'm facing a trouble while i'm executing node-cert-exporter in binary version, following the instructions in the documentation. If I run the docker version I can see in the Grafana dashboard the same that's shown in the documentation's image, but I don't want to run node-cert-exporter in docker version, but binary version. And when I do that I see a bunch of certificates, which are out of the path that I passed with --include-glob parameter.

What I execute:
node-cert-exporter --include-glob /etc/letsencrypt/live/*/*.pem
👆 that directory contains a dir (my_site) and inside it three .pem files (file1.pem, file2.pem, file3.pem)

what I want to see: (something similar with my certificates, which i can see with docker version)

what I actually see

Additional information:

Output of node-cert-exporter --version:

Version: v1.1.2
Commit: 8f826938657045cc01887f45aa4a89409954a348
Branch: HEAD
GoVersion: 1.15.15

Additional environment details:

OS: Ubuntu 20.04

Will allow easier parameterising of the directories containing certs, namespace, etc.

Description
No matter if you specify multiple exclude-glob entries like
--exclude-glob "/path/root_ca.pem,/path/*-key.pem"
or like
--exclude-glob "/path/root_ca.pem" --exclude-glob "/path/*-key.pem"
only the first one will be tested against.

Describe the results you expected:
All exclude-glob entries shall be tested against.

Hi all,

Thank you for providing this beautiful tool. Is there a way to build the program in order to run on i686 Linux/386 Linux?
I can see it runs on 64 arm and amd.

Super thanks!

Hello maintainers!

right now, exporter emits the following attributes as labels for every certificate:

		labels := prometheus.Labels{
			"path":            path,
			"issuer":          cert.Issuer.String(),
			"alg":             cert.SignatureAlgorithm.String(),
			"version":         strconv.Itoa(cert.Version),
			"subject":         cert.Subject.String(),
			"dns_names":       strings.Join(cert.DNSNames, ","),
			"email_addresses": strings.Join(cert.EmailAddresses, ","),
			"hostname":        hostname,
			"nodename":        nodename,
		}

during certificate renewals, any of these attributes might remain the same - a valid scenario could be for example that we're utilizing
the same issuer company to renew an existing certificate with the same email and DNS names.

I propose serial to be added to the list of emitted labels, as serial is expected to be different for every certificate issued by the same CA.
This could help with scenarios such as confirming that certificates changed on disk after a renewal and their deployment.

• This feature/enhancement benefits everyone

Description
A PR that would add serial as a label and its value through the cert attributes parse by crypto/x509.

Additional information
Out of RFC5280:

4.1.2.2.  Serial Number

   The serial number MUST be a positive integer assigned by the CA to
   each certificate.  It MUST be unique for each certificate issued by a
   given CA (i.e., the issuer name and serial number identify a unique
   certificate).  CAs MUST force the serialNumber to be a non-negative
   integer.

I am struggling to get this thing running with the provided binary. I noticed its using the same port as our apache exporter (9117). I don't see any documentation?

I saw that the most recent release was in May, however there has been no merging of forked branches and the Go version being used is old. I have tested the 1.19 version of Go and that still worked, and also the #74 has also been tested and works. This would help for people utilizing this exporter that have to remediate any vulnerabilities which these two items have a lot on their older versions.

On the second note, are the containers being stored anywhere besides Dockerhub? That container hasn't been updated for 2 years.