Export Digicert certificates information to Prometheus.
Metrics are computed by retrieving data using
the Digicert REST API.
Currently, the exporter use the GET /v2/order/certificate REST endpoint
The inception of this exporter originated during one of my professional assignments. We needed to determine the validity of our Digicert certificates. While the Blackbox exporter already allows us to assess the validity of the certificate installed on a website/API, we aimed to be alerted in advance of the upcoming certificate change. Implementing certificate changes can be challenging on larger computer systems. Given that we were already operating a substantial Prometheus stack, the idea to create this small exporter came to me.
In order to run this exporter, you need :
-
A valid Digicert account and create an API key here with the View Only permission
-
One of these tool chains :
- Docker (if you run only docker commands)
- Go v1.22 with Make (if you prefer run Make & Go commands)
Each time the Prometheus server will query the exporter via a POST /metrics the exporter will fetch the data from the
Digicert REST API.
It is important to keep in mind that the Digicert API has
a rate limit of 1000reqs / 5min
combined
with a short-term one of 100reqs / 5sec so please set a scrape_interval as low as possible (30 min might be a good
start).
Here a working example of a Prometheus config for this exporter :
scrape_configs:
- job_name: 'digicert_exporter'
scrape_interval: 30m
static_configs:
- targets: [ 'digicert_exporter:10005' ]Two ways of running the project :
- With go installed :
export DIGICERT_API_KEY=my-key && make run - With Docker installed :
docker build -t digicert_exporter . && docker run -e DIGICERT_API_KEY=my-key digicert_exporterYou may also build want to build the project via this command :
make build || make build-winThis command will generate an executable named digicert_exporter.[o|exe]
You may also want to start the whole Grafana/Prometheus stack. It's easy. Just run
make dev-stackThe Grafana instance is now reachable from http://localhost:3000 with a prometheus datasource, a grafana dashboard
already
configured and some alerts via the alertmanager component
You can find pre-made conf files for each of these components here :
This exporter makes available a bunch of metrics related to Digicert but also to the exporter itself :
| Metric | Description | Labels | Notes |
|---|---|---|---|
digicert_api_up |
Was the last Digicert API query successful |
β | β |
digicert_certificate_expire_timestamp_seconds |
Certificate expiration date | certificate_common_name, certificate_id, order_id, organization |
β |
digicert_scrape_duration_seconds |
Exporter scrape duration in seconds | β | β |
promhttp_metric_handler_requests_in_flight |
Current number of scrapes being served | β | Available with the--web.exporter-metrics flag |
promhttp_metric_handler_requests_total |
Total number of scrapes by HTTP status code |
code | Available with the--web.exporter-metrics flag |
You can show the available flags by running :
./digicert_exporter.o --helpHere a slightly more detailed list of them :
| Flag | Description | Default | Related environment variable |
|---|---|---|---|
| --log.level | Logging level | info |
β |
| --log.format | Logging format | logfmt |
β |
| --version | Show application version | β | |
| --web.listen-port | Port used to run the exporter | :10005 |
EXPORTER_PORT |
| --web.metrics-path | Path under which to expose metrics | /metrics |
EXPORTER_PATH |
| --digicert.url | Digicert API URL used to fetch data | https://www.digicert.com/services/v2/order/certificate |
DIGICERT_URL |
| --digicert.api-key | Digicert API Key used to authentication | "" |
DIGICERT_API_KEY |
| --[no-]digicert.show-expired-certificates | Show expired certificate | false |
DIGICERT_SHOW_EXPIRED_CERTIFICATES |
| --[no-]digicert.sandbox-mode | Use mock.json test file | false |
SANDBOX_MODE |