Skip to main content
APA
Sponsored by CAST AI — Kubernetes cost optimization Better Stack — Uptime monitoring and log management
⚠️

Alert thresholds depend on the nature of your applications. Some queries may have arbitrary tolerance thresholds. Building an efficient monitoring platform takes time. 😉

cert-manager Prometheus Alert Rules

4 Prometheus alerting rules for cert-manager. Exported via Embedded exporter. These rules cover critical and warning conditions — copy and paste the YAML into your Prometheus configuration.

9.3. Embedded exporter (4 rules) 

wget https://raw.githubusercontent.com/samber/awesome-prometheus-alerts/refs/heads/master/dist/rules/cert-manager/embedded-exporter.yml
critical

9.3.1. Cert-Manager absent

Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back. 

- alert: Cert-ManagerAbsent
  expr: absent(up{job="cert-manager"})
  for: 10m
  labels:
    severity: critical
  annotations:
    summary: Cert-Manager absent (instance {{ $labels.instance }})
    description: "Cert-Manager has disappeared from Prometheus service discovery. New certificates will not be able to be minted, and existing ones can't be renewed until cert-manager is back.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
warning

9.3.2. Cert-Manager certificate expiring soon

The certificate {{ $labels.name }} is expiring in less than 21 days. 

  # Threshold of 21 days is a rough default. ACME certificates are typically renewed 30 days before expiry, so expiring within 21 days may indicate issuer misconfiguration.
- alert: Cert-ManagerCertificateExpiringSoon
  expr: avg by (exported_namespace, namespace, name) (certmanager_certificate_expiration_timestamp_seconds - time()) < (21 * 24 * 3600)
  for: 1h
  labels:
    severity: warning
  annotations:
    summary: Cert-Manager certificate expiring soon (instance {{ $labels.instance }})
    description: "The certificate {{ $labels.name }} is expiring in less than 21 days.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
critical

9.3.3. Cert-Manager certificate not ready

The certificate {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready to serve traffic. 

- alert: Cert-ManagerCertificateNotReady
  expr: max by (name, exported_namespace, namespace, condition) (certmanager_certificate_ready_status{condition!="True"} == 1)
  for: 10m
  labels:
    severity: critical
  annotations:
    summary: Cert-Manager certificate not ready (instance {{ $labels.instance }})
    description: "The certificate {{ $labels.name }} in namespace {{ $labels.exported_namespace }} is not ready to serve traffic.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"
critical

9.3.4. Cert-Manager hitting ACME rate limits

Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week. 

  # Metric renamed in cert-manager v1.19+ (dropped the http_ prefix): certmanager_acme_client_request_count.
  # For cert-manager < v1.19, use: certmanager_http_acme_client_request_count.
- alert: Cert-ManagerHittingACMERateLimits
  expr: sum by (host) (rate(certmanager_acme_client_request_count{status="429"}[5m])) > 0
  for: 5m
  labels:
    severity: critical
  annotations:
    summary: Cert-Manager hitting ACME rate limits (instance {{ $labels.instance }})
    description: "Cert-Manager is being rate-limited by the ACME provider. Certificate issuance and renewal may be blocked for up to a week.\n  VALUE = {{ $value }}\n  LABELS = {{ $labels }}"

More in Network and security

SpeedTest SSL/TLS Juniper CoreDNS Freeswitch Hashicorp Vault Keycloak Cloudflare SNMP Cilium WireGuard