4 Prometheus alerting rules for SSL/TLS. Exported via ssl_exporter. These rules cover critical and warning conditions — copy and paste the YAML into your Prometheus configuration.
Alert thresholds depend on the nature of your applications. Some queries may have arbitrary tolerance thresholds. Building an efficient monitoring platform takes time. 😉
groups:
- name: RibbybibbySslExporter
rules:
- alert: SSLCertificateProbeFailed
expr: ssl_probe_success == 0
for: 1m
labels:
severity: critical
annotations:
summary: SSL certificate probe failed (instance {{ $labels.instance }})
description: "Failed to fetch SSL information {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: SSLCertificateOCSPStatusUnknown
expr: ssl_ocsp_response_status == 2
for: 0m
labels:
severity: warning
annotations:
summary: SSL certificate OCSP status unknown (instance {{ $labels.instance }})
description: "Failed to get the OCSP status for {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: SSLCertificateRevoked
expr: ssl_ocsp_response_status == 1
for: 0m
labels:
severity: critical
annotations:
summary: SSL certificate revoked (instance {{ $labels.instance }})
description: "SSL certificate revoked {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"
- alert: SSLCertificateExpiry(<7Days)
expr: ssl_verified_cert_not_after{chain_no="0"} - time() < 86400 * 7
for: 0m
labels:
severity: warning
annotations:
summary: SSL certificate expiry (< 7 days) (instance {{ $labels.instance }})
description: "{{ $labels.instance }} Certificate is expiring in 7 days\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" wget https://raw.githubusercontent.com/samber/awesome-prometheus-alerts/refs/heads/master/dist/rules/ssl/tls/ribbybibby-ssl-exporter.yml
Failed to fetch SSL information {{ $labels.instance }}
- alert: SSLCertificateProbeFailed
expr: ssl_probe_success == 0
for: 1m
labels:
severity: critical
annotations:
summary: SSL certificate probe failed (instance {{ $labels.instance }})
description: "Failed to fetch SSL information {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" Failed to get the OCSP status for {{ $labels.instance }}
- alert: SSLCertificateOCSPStatusUnknown
expr: ssl_ocsp_response_status == 2
for: 0m
labels:
severity: warning
annotations:
summary: SSL certificate OCSP status unknown (instance {{ $labels.instance }})
description: "Failed to get the OCSP status for {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" SSL certificate revoked {{ $labels.instance }}
- alert: SSLCertificateRevoked
expr: ssl_ocsp_response_status == 1
for: 0m
labels:
severity: critical
annotations:
summary: SSL certificate revoked (instance {{ $labels.instance }})
description: "SSL certificate revoked {{ $labels.instance }}\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" {{ $labels.instance }} Certificate is expiring in 7 days
- alert: SSLCertificateExpiry(<7Days)
expr: ssl_verified_cert_not_after{chain_no="0"} - time() < 86400 * 7
for: 0m
labels:
severity: warning
annotations:
summary: SSL certificate expiry (< 7 days) (instance {{ $labels.instance }})
description: "{{ $labels.instance }} Certificate is expiring in 7 days\n VALUE = {{ $value }}\n LABELS = {{ $labels }}"