I've tried removing the expiring certificate from the trust store
("/etc/ca-certificates.conf" and "update-ca-certificates") and I thought it
yielded the wanted results but...
I checked one of the domains which before had the expiry date of May 30th
and this one worked, it gave back the proper d
Another option is to remove the intermediate certificate from the chain you
provide at your TLS endpoint. Blackbox exporter will then check with the
new path as long as you have the cross signed CA in your keystore.
Clients that do not have the new cross signed CA in their keystore will
fail then.
Should solve problem with the added benefit that removing the old Root CA
is probably a good test to do anyway.
--Matt
On Tue, May 12, 2020 at 6:40 PM Harald Koch wrote:
> On Tue, May 12, 2020, at 18:34, Julian van den Berkmortel wrote:
>
> It's in regards to the "probe_ssl_earliest_cert_expiry
On Tue, May 12, 2020, at 18:34, Julian van den Berkmortel wrote:
> It's in regards to the "probe_ssl_earliest_cert_expiry" metric which uses the
> date of the earliest expiring certificate in the chain as its value.
> Its value at the moment is the 30th of May because the root certificate is
> th
It's in regards to the "probe_ssl_earliest_cert_expiry" metric which uses
the date of the earliest expiring certificate in the chain as its value.
Its value at the moment is the 30th of May because the root certificate is
the certificate which will expire the earliest in the certificate chain
ri
If you have an up-to-date trust store, the cross signing certificates for
the newer root CAs should mean you don't have to do anything. If you don't
have an updated trust store, you have work to do.
--Matt
On Tue, May 12, 2020 at 5:26 PM Julian van den Berkmortel <
jul...@weprovide.com> wrote:
I won't ask "why is this happening" because enough has been said about
that, the reasoning behind it or what "probe_ssl_earliest_cert_expiry"
does, does not or should do.
I only have one question which is, what will happen after the expiry of the
"Sectigo AddTrust External CA Root" certificate
7 matches
Mail list logo
