probe_ssl_earliest_cert_expiry randomly flips between giving right and wrong result

[pieter-lautus]

Host operating system: output of uname -a

Linux monitoring 5.13.0-1021-aws #23~20.04.2-Ubuntu SMP Thu Mar 31 11:36:15 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

blackbox_exporter version: output of blackbox_exporter --version

blackbox_exporter, version 0.23.0 (branch: HEAD, revision: 26fc98b9c6db21457653ed752f34d1b7fb5bba43)
  build user:       root@f360719453e3
  build date:       20221202-12:26:32
  go version:       go1.19.3
  platform:         linux/amd64

What is the blackbox.yml module config.

modules:
  apache_probe:
    prober: http
    http:
      fail_if_not_ssl: true
      fail_if_body_not_matches_regexp:
      - ^[<]html
  jnlp_probe:
    prober: http
    http:
      fail_if_not_ssl: true
      fail_if_body_not_matches_regexp:
      - ^[<]jnlp
      - <jar href="tau-common\.jar"/>
  web_login_probe:
    prober: http
    http:
      fail_if_not_ssl: true
      fail_if_body_not_matches_regexp:
      - <title>Tau</title>
      - <form\ accept\-charset="UTF\-8"\ action="/web/login"\ method="post">
      - <input\ id="user_name"\ name="user_name"\ type="text"\ />
      - <input\ id="login"\ name="commit"\ type="submit"\ value="Login"\ />

What is the prometheus.yml scrape config.

- job_name: apache_probe
  static_configs:
  - targets:
    # Redacted
    - https://tau-psg-clone-02.lautus.net/
  relabel_configs:
  - source_labels:
    - __address__
    target_label: __param_target
  - source_labels:
    - __param_target
    target_label: instance
    regex: (?P<scheme>(?:http|https)://)(?P<login>|[[:alnum:].%+]+:[[:alnum:].%+]*@)(?P<hostname>[[:alnum:]-.]+)(?P<port>|:[[:digit:]]+)(?P<path>/.*)
    replacement: ${scheme}${hostname}${port}${path}
  - source_labels:
    - __param_target
    target_label: hostname
    regex: (?P<scheme>(?:http|https)://)(?P<login>|[[:alnum:].%+]+:[[:alnum:].%+]*@)(?P<hostname>[[:alnum:]-.]+)(?P<port>|:[[:digit:]]+)(?P<path>/.*)
    replacement: ${hostname}
  - target_label: __address__
    replacement: 127.0.0.1:9115
  scrape_timeout: 10s
  metrics_path: /probe
  params:
    module:
    - apache_probe

What logging output did you get from adding &debug=true to the probe URL?

Output at a time when probe_ssl_earliest_cert_expiry gave correct value:

ts=2023-03-23T05:59:59.881846341Z caller=main.go:181 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Beginning probe" probe=http timeout_seconds=119.5
ts=2023-03-23T05:59:59.881947502Z caller=http.go:327 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Resolving target address" target=tau-psg-clone-02.lautus.net ip_protocol=ip6
ts=2023-03-23T05:59:59.882532247Z caller=http.go:327 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Resolved target address" target=tau-psg-clone-02.lautus.net ip=156.38.160.50
ts=2023-03-23T05:59:59.882606059Z caller=client.go:251 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Making HTTP request" url=https://156.38.160.50/ host=tau-psg-clone-02.lautus.net
ts=2023-03-23T05:59:59.943718612Z caller=handler.go:117 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Received HTTP response" status_code=200
ts=2023-03-23T05:59:59.943877837Z caller=handler.go:117 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Response timings for roundtrip" roundtrip=0 start=2023-03-23T07:59:59.882671615+02:00 dnsDone=2023-03-23T07:59:59.882671615+02:00 connectDone=2023-03-23T07:59:59.901179326+02:00 gotConn=2023-03-23T07:59:59.92456083+02:00 responseStart=2023-03-23T07:59:59.943665146+02:00 tlsStart=2023-03-23T07:59:59.901223019+02:00 tlsDone=2023-03-23T07:59:59.924541366+02:00 end=2023-03-23T07:59:59.943844397+02:00
ts=2023-03-23T05:59:59.94396078Z caller=main.go:181 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Probe succeeded" duration_seconds=0.062083194 
                                                                                                                                                                                 
<-- snip -->
probe_ssl_earliest_cert_expiry 1.685816036e+09

Output at a time when probe_ssl_earliest_cert_expiry gave wrong value:

Logs for the probe:         
ts=2023-03-23T06:03:01.296517023Z caller=main.go:181 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Beginning probe" probe=http timeout_seconds=119.5
ts=2023-03-23T06:03:01.296650834Z caller=http.go:327 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Resolving target address" target=tau-psg-clone-02.lautus.net ip_protocol=ip6
ts=2023-03-23T06:03:01.297209948Z caller=http.go:327 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Resolved target address" target=tau-psg-clone-02.lautus.net ip=156.38.160.50
ts=2023-03-23T06:03:01.297277805Z caller=client.go:251 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Making HTTP request" url=https://156.38.160.50/ host=tau-psg-clone-02.lautus.net
ts=2023-03-23T06:03:01.374033738Z caller=handler.go:117 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Received HTTP response" status_code=200
ts=2023-03-23T06:03:01.374217071Z caller=handler.go:117 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Response timings for roundtrip" roundtrip=0 start=2023-03-23T08:03:01.297339999+02:00 dnsDone=2023-03-23T08:03:01.297339999+02:00 connectDone=2023-03-23T08:03:01.320850926+02:00 gotConn=2023-0323T08:03:01.349390223+02:00 responseStart=2023-03-23T08:03:01.37398561+02:00 tlsStart=2023-0323T08:03:01.320917717+02:00 tlsDone=2023-03-23T08:03:01.349373729+02:00 end=2023-03-23T08:03:01.374176702+02:00
ts=2023-03-23T06:03:01.374320501Z caller=main.go:181 module=apache_probe target=https://tau-psg-clone-02.lautus.net/ level=info msg="Probe succeeded" duration_seconds=0.077773279

<-- snip -->
probe_ssl_earliest_cert_expiry 1.680631454e+09

What did you do that produced an error?

I drew a graph in Prometheus for probe_ssl_earliest_cert_expiry{hostname="tau-psg-clone-02.lautus.net", job="apache_probe"}. I did this to debug intermittent false positives on our prometheus monitoring for expiring SSL certificates.

What did you expect to see?

A flatline graph with a value corresponding to the certificate's actual expiry.

What did you see instead?

Further background

The host tau-psg-clone-02.lautus.net is the only host in our fleet for which blackbox_exporter currently exhibits this behaviour.

The correct value of the metric, 1.685816036e+09, corresponds to Saturday, 3 June 2023 18:13:56. The incorrect value, 1.680631454e+09, corresponds to Tuesday, 4 April 2023 18:04:14. The two are 60 days, 0 hours, 9 minutes and 42 seconds apart.

I verified that it is not the host itself that is intermittently presenting a different certificate by reloading a Chrome page for that host at one of the points in time when the prometheus graph dipped to the incorrect value. However, Chrome still saw the same certificate with the same expiry at that time.

I thought this issue might be related to #340 , and that the host was presenting multiple certificate chains from the root. So I inspected the certificate the host presents:

$ openssl s_client -showcerts -connect tau-psg-clone-02.lautus.net:443 
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = tau-psg-clone-02.lautus.net
verify return:1
---
Certificate chain
 0 s:CN = tau-psg-clone-02.lautus.net
   i:C = US, O = Let's Encrypt, CN = R3
-----BEGIN CERTIFICATE-----
MIIFPDCCBCSgAwIBAgISAy/CDxx1oRgQjunVRj4ox8VwMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAzMDUxODEzNTdaFw0yMzA2MDMxODEzNTZaMCYxJDAiBgNVBAMT
G3RhdS1wc2ctY2xvbmUtMDIubGF1dHVzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKUfqou/DWfCKFjD9D+7EKp0ochIEtTdZRvpH+WILm66Qpq+
AAY2L7yxHrb/V2CBmW0eWCwzYzQDzvrIcReIwVU71OkI+dKCkS8f+DGmrGUq9ipt
UivCjBEKYluWI/hCXyBE2ANXddWTZg47z0Zyjz2hCG70aA8TrDNzWrAsO44GEFtl
CGQzmhPouOy8OPtoFqgw4N/8KT2eA51Bqul5OKFoJIvsydYzr3JnIAzH7qkAeS+B
8WeFq0W0KixsbYANbOR2g3StJwaRJBwdW3SXLQhzldSLPpDbW7gNMg9qUQfFUpL2
ghv69HURpA00TUF43Ed7hL/lEYvk+hjDdX3SX8MCAwEAAaOCAlYwggJSMA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQUJCdJ5BDMSmBXxT+RAIchpZvTrskwHwYDVR0jBBgw
FoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUF
BzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9y
My5pLmxlbmNyLm9yZy8wJgYDVR0RBB8wHYIbdGF1LXBzZy1jbG9uZS0wMi5sYXV0
dXMubmV0MEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHUAtz77JN+cTbp18jnFulj0bF38Qs96nzXEnh0JgSXttJkA
AAGGszHnfwAABAMARjBEAiA5prtRhvAB4A+yU6dwBFRTwjZx55tqBdEdewJq0vcP
wwIgc15kffyWcRHyJIU+ZF78Mu8D3y49R+Nprb8bKmZ0R+AAdwB6MoxU2LcttiDq
OOBSHumEFnAyE4VNO9IrwTpXo1LrUgAAAYazMeeHAAAEAwBIMEYCIQDGj13mPPTq
P3geBoQXmPLns4xkLFhLIBs1knweqQqi9wIhANgqHh/3eegrcq2Rb4Z35tDaZiNj
MPa9N18+3U+arqBTMA0GCSqGSIb3DQEBCwUAA4IBAQA/USi/bAcHst8+UOOyOExw
VA0oanjB9H3xC00bBVb2MD55Lijzg++lckuQUx26dhHsCQmb+wJuACHfyE35YXZA
YpqGuEbgVr1ja6/PGi21TUe20rxCg0x360kOaqjjsS8h/E307t+ets8LXmFqduiS
/Q7iThsejaweZ9gX75HZ8XdtuiMp51Fsx5zMz0rThWzJQ2G0F/Z0fYPdV20ZK4C2
2y1Dl389b7luG3TdRvQ1EHtv/9GnCHJqjvYYh8CzvMa0RhOZGXlQRERlAH60GDWi
6We4ldxwOhz1ORdpRAxVr45m256kpNJcG+mlXR0cQKn3d94pGF9+ZbVGWUT+45Wg
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = tau-psg-clone-02.lautus.net

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4600 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FA0648F32B2CD99A779BB6229F54FD71C9C174F58234341CBB9FFDBDE67B3FEC
    Session-ID-ctx: 
    Resumption PSK: 57B91F8ACC569D71F5882A47E30ED3E8EE8D427FE8A951B6CD9A4294CFB286306C421CBBA5E4BABAED70BEC1877AC2CD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 32 e8 1c 1c d1 e3 24 f0-50 69 e5 9d c4 e9 4c 00   2.....$.Pi....L.
    0010 - a9 85 ff 48 d7 4b 47 8e-e0 28 b2 e7 83 15 10 9a   ...H.KG..(......

    Start Time: 1679552421
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 0F6B95D9F6937ECD3079E7F5DC61D5DD18F072C9740948223172531848ACE472
    Session-ID-ctx: 
    Resumption PSK: 8F7B360B3EFCAC7F241F25C0127E1AD9A6236A61686C55BFF186E2B5F773A53B65A1AEDCF994D2B4FAE9C0862F666974
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d6 16 d0 ca b6 5d 86 f9-96 e8 61 46 71 75 31 26   .....]....aFqu1&
    0010 - 8c 25 fd d1 a4 68 a9 38-0d 8e 51 f4 71 d9 3f ab   .%...h.8..Q.q.?.

    Start Time: 1679552421
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
DONE

I inspected the chain of three certificates the host presented by copying the certificate output above to individual files. None of them expire earlier than Jun 3 18:13:56 2023 GMT.

$ openssl x509 -text -noout -in cert1 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:2f:c2:0f:1c:75:a1:18:10:8e:e9:d5:46:3e:28:c7:c5:70
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Mar  5 18:13:57 2023 GMT
            Not After : Jun  3 18:13:56 2023 GMT
        Subject: CN = tau-psg-clone-02.lautus.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a5:1f:aa:8b:bf:0d:67:c2:28:58:c3:f4:3f:bb:
                    10:aa:74:a1:c8:48:12:d4:dd:65:1b:e9:1f:e5:88:
                    2e:6e:ba:42:9a:be:00:06:36:2f:bc:b1:1e:b6:ff:
                    57:60:81:99:6d:1e:58:2c:33:63:34:03:ce:fa:c8:
                    71:17:88:c1:55:3b:d4:e9:08:f9:d2:82:91:2f:1f:
                    f8:31:a6:ac:65:2a:f6:2a:6d:52:2b:c2:8c:11:0a:
                    62:5b:96:23:f8:42:5f:20:44:d8:03:57:75:d5:93:
                    66:0e:3b:cf:46:72:8f:3d:a1:08:6e:f4:68:0f:13:
                    ac:33:73:5a:b0:2c:3b:8e:06:10:5b:65:08:64:33:
                    9a:13:e8:b8:ec:bc:38:fb:68:16:a8:30:e0:df:fc:
                    29:3d:9e:03:9d:41:aa:e9:79:38:a1:68:24:8b:ec:
                    c9:d6:33:af:72:67:20:0c:c7:ee:a9:00:79:2f:81:
                    f1:67:85:ab:45:b4:2a:2c:6c:6d:80:0d:6c:e4:76:
                    83:74:ad:27:06:91:24:1c:1d:5b:74:97:2d:08:73:
                    95:d4:8b:3e:90:db:5b:b8:0d:32:0f:6a:51:07:c5:
                    52:92:f6:82:1b:fa:f4:75:11:a4:0d:34:4d:41:78:
                    dc:47:7b:84:bf:e5:11:8b:e4:fa:18:c3:75:7d:d2:
                    5f:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                24:27:49:E4:10:CC:4A:60:57:C5:3F:91:00:87:21:A5:9B:D3:AE:C9
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:tau-psg-clone-02.lautus.net
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
                                5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
                    Timestamp : Mar  5 19:13:57.631 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:44:02:20:39:A6:BB:51:86:F0:01:E0:0F:B2:53:A7:
                                70:04:54:53:C2:36:71:E7:9B:6A:05:D1:1D:7B:02:6A:
                                D2:F7:0F:C3:02:20:73:5E:64:7D:FC:96:71:11:F2:24:
                                85:3E:64:5E:FC:32:EF:03:DF:2E:3D:47:E3:69:AD:BF:
                                1B:2A:66:74:47:E0
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
                    Timestamp : Mar  5 19:13:57.639 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:C6:8F:5D:E6:3C:F4:EA:3F:78:1E:06:
                                84:17:98:F2:E7:B3:8C:64:2C:58:4B:20:1B:35:92:7C:
                                1E:A9:0A:A2:F7:02:21:00:D8:2A:1E:1F:F7:79:E8:2B:
                                72:AD:91:6F:86:77:E6:D0:DA:66:23:63:30:F6:BD:37:
                                5F:3E:DD:4F:9A:AE:A0:53
    Signature Algorithm: sha256WithRSAEncryption
         3f:51:28:bf:6c:07:07:b2:df:3e:50:e3:b2:38:4c:70:54:0d:
         28:6a:78:c1:f4:7d:f1:0b:4d:1b:05:56:f6:30:3e:79:2e:28:
         f3:83:ef:a5:72:4b:90:53:1d:ba:76:11:ec:09:09:9b:fb:02:
         6e:00:21:df:c8:4d:f9:61:76:40:62:9a:86:b8:46:e0:56:bd:
         63:6b:af:cf:1a:2d:b5:4d:47:b6:d2:bc:42:83:4c:77:eb:49:
         0e:6a:a8:e3:b1:2f:21:fc:4d:f4:ee:df:9e:b6:cf:0b:5e:61:
         6a:76:e8:92:fd:0e:e2:4e:1b:1e:8d:ac:1e:67:d8:17:ef:91:
         d9:f1:77:6d:ba:23:29:e7:51:6c:c7:9c:cc:cf:4a:d3:85:6c:
         c9:43:61:b4:17:f6:74:7d:83:dd:57:6d:19:2b:80:b6:db:2d:
         43:97:7f:3d:6f:b9:6e:1b:74:dd:46:f4:35:10:7b:6f:ff:d1:
         a7:08:72:6a:8e:f6:18:87:c0:b3:bc:c6:b4:46:13:99:19:79:
         50:44:44:65:00:7e:b4:18:35:a2:e9:67:b8:95:dc:70:3a:1c:
         f5:39:17:69:44:0c:55:af:8e:66:db:9e:a4:a4:d2:5c:1b:e9:
         a5:5d:1d:1c:40:a9:f7:77:de:29:18:5f:7e:65:b5:46:59:44:
         fe:e3:95:a0
$ openssl x509 -text -noout -in cert2
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:
                    92:c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:
                    2b:b9:c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:
                    94:14:55:35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:
                    a9:4e:6e:f5:3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:
                    e7:ed:cf:69:f0:5a:0b:1b:be:c0:94:24:25:87:fa:
                    37:71:b3:13:e7:1c:ac:e1:9b:ef:db:e4:3b:45:52:
                    45:96:a9:c1:53:ce:34:c8:52:ee:b5:ae:ed:8f:de:
                    60:70:e2:a5:54:ab:b6:6d:0e:97:a5:40:34:6b:2b:
                    d3:bc:66:eb:66:34:7c:fa:6b:8b:8f:57:29:99:f8:
                    30:17:5d:ba:72:6f:fb:81:c5:ad:d2:86:58:3d:17:
                    c7:e7:09:bb:f1:2b:f7:86:dc:c1:da:71:5d:d4:46:
                    e3:cc:ad:25:c1:88:bc:60:67:75:66:b3:f1:18:f7:
                    a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18:ea:98:
                    09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14:af:
                    63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d:
                    a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:
                    db:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 Subject Key Identifier: 
                14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
            X509v3 Authority Key Identifier: 
                keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E

            Authority Information Access: 
                CA Issuers - URI:http://x1.i.lencr.org/

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://x1.c.lencr.org/

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1

    Signature Algorithm: sha256WithRSAEncryption
         85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98:63:ad:
         75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3:ed:f8:20:bf:
         5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de:e4:20:9f:a6:ef:8b:
         b2:03:e7:a2:b5:16:3c:91:ce:b4:ed:39:02:e7:7c:25:8a:47:
         e6:65:6e:3f:46:f4:d9:f0:ce:94:2b:ee:54:ce:12:bc:8c:27:
         4b:b8:c1:98:2f:a2:af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:
         2d:08:f9:08:57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:
         2a:c8:9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c:
         5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed:63:b9:
         21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22:ae:10:0d:43:
         97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1:bd:30:bf:87:6e:2b:
         2a:ff:21:4e:1b:05:c3:f5:18:97:f0:5e:ac:c3:a5:b8:6a:f0:
         2e:bc:3b:33:b9:ee:4b:de:cc:fc:e4:af:84:0b:86:3f:c0:55:
         43:36:f6:68:e1:36:17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:
         d0:63:39:35:39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:
         ce:0c:02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53:
         f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4:29:0e:
         f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18:a1:79:bb:e7:
         5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61:71:25:2a:af:df:ed:
         25:50:52:68:8b:92:dc:e5:d6:b5:e3:da:7d:d0:87:6c:84:21:
         31:ae:82:f5:fb:b9:ab:c8:89:17:3d:e1:4c:e5:38:0e:f6:bd:
         2b:bd:96:81:14:eb:d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:
         5b:b8:48:cd:fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:
         ea:7c:93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff:
         28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f:0b:d2:
         52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85:5d:7e:5d:66:
         29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42:cd:c4:4e:c6:25:38:
         44:50:6d:ec:ce:00:55:18:fe:e9:49:64:d4:4e:ca:97:9c:b4:
         5b:c0:73:a8:ab:b8:47:c2
$ openssl x509 -text -noout -in cert3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:01:77:21:37:d4:e9:42:b8:ee:76:aa:3c:64:0a:b7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:ad:e8:24:73:f4:14:37:f3:9b:9e:2b:57:28:1c:
                    87:be:dc:b7:df:38:90:8c:6e:3c:e6:57:a0:78:f7:
                    75:c2:a2:fe:f5:6a:6e:f6:00:4f:28:db:de:68:86:
                    6c:44:93:b6:b1:63:fd:14:12:6b:bf:1f:d2:ea:31:
                    9b:21:7e:d1:33:3c:ba:48:f5:dd:79:df:b3:b8:ff:
                    12:f1:21:9a:4b:c1:8a:86:71:69:4a:66:66:6c:8f:
                    7e:3c:70:bf:ad:29:22:06:f3:e4:c0:e6:80:ae:e2:
                    4b:8f:b7:99:7e:94:03:9f:d3:47:97:7c:99:48:23:
                    53:e8:38:ae:4f:0a:6f:83:2e:d1:49:57:8c:80:74:
                    b6:da:2f:d0:38:8d:7b:03:70:21:1b:75:f2:30:3c:
                    fa:8f:ae:dd:da:63:ab:eb:16:4f:c2:8e:11:4b:7e:
                    cf:0b:e8:ff:b5:77:2e:f4:b2:7b:4a:e0:4c:12:25:
                    0c:70:8d:03:29:a0:e1:53:24:ec:13:d9:ee:19:bf:
                    10:b3:4a:8c:3f:89:a3:61:51:de:ac:87:07:94:f4:
                    63:71:ec:2e:e2:6f:5b:98:81:e1:89:5c:34:79:6c:
                    76:ef:3b:90:62:79:e6:db:a4:9a:2f:26:c5:d0:10:
                    e1:0e:de:d9:10:8e:16:fb:b7:f7:a8:f7:c7:e5:02:
                    07:98:8f:36:08:95:e7:e2:37:96:0d:36:75:9e:fb:
                    0e:72:b1:1d:9b:bc:03:f9:49:05:d8:81:dd:05:b4:
                    2a:d6:41:e9:ac:01:76:95:0a:0f:d8:df:d5:bd:12:
                    1f:35:2f:28:17:6c:d2:98:c1:a8:09:64:77:6e:47:
                    37:ba:ce:ac:59:5e:68:9d:7f:72:d6:89:c5:06:41:
                    29:3e:59:3e:dd:26:f5:24:c9:11:a7:5a:a3:4c:40:
                    1f:46:a1:99:b5:a7:3a:51:6e:86:3b:9e:7d:72:a7:
                    12:05:78:59:ed:3e:51:78:15:0b:03:8f:8d:d0:2f:
                    05:b2:3e:7b:4a:1c:4b:73:05:12:fc:c6:ea:e0:50:
                    13:7c:43:93:74:b3:ca:74:e7:8e:1f:01:08:d0:30:
                    d4:5b:71:36:b4:07:ba:c1:30:30:5c:48:b7:82:3b:
                    98:a6:7d:60:8a:a2:a3:29:82:cc:ba:bd:83:04:1b:
                    a2:83:03:41:a1:d6:05:f1:1b:c2:b6:f0:a8:7c:86:
                    3b:46:a8:48:2a:88:dc:76:9a:76:bf:1f:6a:a5:3d:
                    19:8f:eb:38:f3:64:de:c8:2b:0d:0a:28:ff:f7:db:
                    e2:15:42:d4:22:d0:27:5d:e1:79:fe:18:e7:70:88:
                    ad:4e:e6:d9:8b:3a:c6:dd:27:51:6e:ff:bc:64:f5:
                    33:43:4f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            Authority Information Access: 
                CA Issuers - URI:http://apps.identrust.com/roots/dstrootcax3.p7c

            X509v3 Authority Key Identifier: 
                keyid:C4:A7:B1:A4:7B:2C:71:FA:DB:E1:4B:90:75:FF:C4:15:60:85:89:10

            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.root-x1.letsencrypt.org

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.identrust.com/DSTROOTCAX3CRL.crl

            X509v3 Subject Key Identifier: 
                79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
    Signature Algorithm: sha256WithRSAEncryption
         0a:73:00:6c:96:6e:ff:0e:52:d0:ae:dd:8c:e7:5a:06:ad:2f:
         a8:e3:8f:bf:c9:0a:03:15:50:c2:e5:6c:42:bb:6f:9b:f4:b4:
         4f:c2:44:88:08:75:cc:eb:07:9b:14:62:6e:78:de:ec:27:ba:
         39:5c:f5:a2:a1:6e:56:94:70:10:53:b1:bb:e4:af:d0:a2:c3:
         2b:01:d4:96:f4:c5:20:35:33:f9:d8:61:36:e0:71:8d:b4:b8:
         b5:aa:82:45:95:c0:f2:a9:23:28:e7:d6:a1:cb:67:08:da:a0:
         43:2c:aa:1b:93:1f:c9:de:f5:ab:69:5d:13:f5:5b:86:58:22:
         ca:4d:55:e4:70:67:6d:c2:57:c5:46:39:41:cf:8a:58:83:58:
         6d:99:fe:57:e8:36:0e:f0:0e:23:aa:fd:88:97:d0:e3:5c:0e:
         94:49:b5:b5:17:35:d2:2e:bf:4e:85:ef:18:e0:85:92:eb:06:
         3b:6c:29:23:09:60:dc:45:02:4c:12:18:3b:e9:fb:0e:de:dc:
         44:f8:58:98:ae:ea:bd:45:45:a1:88:5d:66:ca:fe:10:e9:6f:
         82:c8:11:42:0d:fb:e9:ec:e3:86:00:de:9d:10:e3:38:fa:a4:
         7d:b1:d8:e8:49:82:84:06:9b:2b:e8:6b:4f:01:0c:38:77:2e:
         f9:dd:e7:39

[pieter-lautus]

I installed ssl_prober and got the same result. Due to ssl_prober's extra labels, I could see that two certificates with two different serial number are in play. In other words, Apache is somehow sometimes presenting one certificate and sometimes another.

This no longer seems like a bug in blackbox_exporter.

[mfriedenhagen]

Hi @pieter-lautus, we get different results for a wildcard certificate in Apache, could you please add a link to the ssl-prober tool you used?

[pieter-lautus]

@mfriedenhagen I closed this issue on 23 March, but I see now I was not particularly clear why.

This was an apache issue, not a ssl-prober or blackbox-exporter issue. For some reason, when the certificate was changed, apache reload left one process with the old configuration running, and kept routing requests to it. So some of our requests were responded to with an old certificate, and some with a new one.

blackbox_exporter was accurately reporting on an apache weirdness. This is not a blackbox_exporter bug.

[mfriedenhagen]

Hi @pieter-lautus, I was obviously not clear enough: I would just like to get a link to the ssl-prober tool you used to see whether my problem is the same you reported here. I am pretty sure that blackbox-exporter is innocent :-). I would have contacted you directly for this information if this would be possible via GitHub.

[SuperQ]

Maybe this one: https://github.com/ribbybibby/ssl_exporter?

[pieter-lautus]

@mfriedenhagen Yes, I was using https://github.com/ribbybibby/ssl_exporter

Sorry, I though you were a maintainer that was about to waste time investigating an issue I had already closed.