要监控 SSL 证书过期标准方案是Prometheus Blackbox Exporter用 Blackbox 探测 HTTPS 站点、读取证书有效期再用 Prometheus 规则做 “即将过期” 告警。一、安装 Blackbox Exporter# 下载以最新版为例 wget https://github.com/prometheus/blackbox_exporter/releases/download/v0.25.0/blackbox_exporter-0.25.0.linux-amd64.tar.gz tar zxf blackbox_exporter-*.tar.gz cd blackbox_exporter-* # 启动默认 9115 端口 ./blackbox_exporter --config.fileblackbox.yml二、配置 Blackboxblackbox.yml专门用来强制检查 SSL 证书modules: http_ssl_cert: prober: http timeout: 5s http: valid_http_versions: [HTTP/1.1, HTTP/2] method: GET # 允许自签/过期只看证书有效期 fail_if_ssl: false fail_if_not_ssl: true tls_config: insecure_skip_verify: true三、Prometheus 配置prometheus.ymlscrape_configs: - job_name: blackbox_ssl metrics_path: /probe params: module: [http_ssl_cert] # 对应上面的 module static_configs: - targets: - https://www.baidu.com - https://your-domain.com - https://api.yourapp.com relabel_configs: - source_labels: [__address__] target_label: __param_target - source_labels: [__param_target] target_label: instance - target_label: __address__ replacement: 127.0.0.1:9115 # Blackbox 地址四、关键指标probe_ssl_earliest_cert_expiry证书过期时间戳Unix 秒probe_success探测是否成功1 成功五、告警规则ssl_rules.ymlgroups: - name: ssl_cert_alerts rules: # 30天内过期警告 - alert: SSL_Cert_Expire_In_30_Days expr: (probe_ssl_earliest_cert_expiry - time()) / 86400 30 for: 5m labels: severity: warning annotations: summary: SSL证书即将过期30天内 description: 实例 {{ $labels.instance }} 证书还有 {{ $value | printf \%.0f\ }} 天过期 # 7天内过期严重 - alert: SSL_Cert_Expire_In_7_Days expr: (probe_ssl_earliest_cert_expiry - time()) / 86400 7 for: 2m labels: severity: critical annotations: summary: SSL证书即将过期7天内 description: 实例 {{ $labels.instance }} 证书还有 {{ $value | printf \%.0f\ }} 天过期 # 已过期 - alert: SSL_Cert_Expired expr: probe_ssl_earliest_cert_expiry - time() 0 for: 1m labels: severity: disaster annotations: summary: SSL证书已过期 description: 实例 {{ $labels.instance }} 证书已过期请立即更换六、在 prometheus.yml 加载规则rule_files: - ssl_rules.yml七、重载生效# 热重载需 --web.enable-lifecycle curl -X POST http://localhost:9090/-/reload # 或重启 systemctl restart prometheus八、验证Prometheus → Status → Targets看blackbox_ssl是否 UPPrometheus → Graph执行plaintextprobe_ssl_earliest_cert_expiry能看到时间戳Prometheus → Alerts看是否触发 SSL 相关告警九、常用查询剩余天数promql# 所有域名剩余天数 (probe_ssl_earliest_cert_expiry - time()) / 86400 # 30天内过期 (probe_ssl_earliest_cert_expiry - time()) / 86400 30十、Grafana 面板可选导入 Dashboard ID13230Blackbox Exporter HTTPS/SSL总结Blackbox Exporter负责探测 HTTPS、读取证书有效期Prometheus抓取指标probe_ssl_earliest_cert_expiry告警规则判断剩余天数30/7/0 天Alertmanager发邮件 / 企业微信 / 钉钉