grpc reports probe_ssl_earliest_cert_expiry even with disabled tls

Question

grpc reports probe_ssl_earliest_cert_expiry even with disabled tls

Lusitaniae opened this issue a year ago · 0 comments

uname -a 
Linux blackbox-node1 5.4.0-121-generic #137-Ubuntu SMP Wed Jun 15 13:33:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

blackbox_exporter --version
blackbox_exporter, version 0.24.0 (branch: HEAD, revision: 0b0467473916fd9e8526e2635c2a0b1c56011dff)
  build user:       root@e5bbfcc8184e
  build date:       20230516-11:07:25
  go version:       go1.20.4
  platform:         linux/amd64
  tags:             netgo

  grpc:
    prober: grpc
    timeout: 8s
    grpc:
        preferred_ip_protocol: ip4
        tls: false

  - job_name: blackbox_grpc
    honor_labels: true
    honor_timestamps: true
    metrics_path: /probe
    scheme: http
    scrape_interval: 30s
    scrape_timeout: 10s
    params:
      module: [grpc]
    static_configs:
      - targets:
          - http://subdomain1.example.com
    relabel_configs:
    - source_labels: [__address__]
      target_label: __param_target
    - source_labels: [__param_target]
      target_label: instance
    - target_label: __address__
      replacement: 1.3.5.9:9115 # blackbox-node1

curl "localhost:9115/probe?module=grpc&target=http%3A%2F%2Fsubdomain.example.com&debug=true"
Logs for the probe:
ts=2023-09-08T10:01:58.168088079Z caller=main.go:352 module=grpc target=http://subdomain.example.com level=info msg="Beginning probe" probe=grpc timeout_seconds=8
ts=2023-09-08T10:01:58.168346846Z caller=grpc.go:146 module=grpc target=http://subdomain.example.com level=info msg="Resolving target address" target=subdomain.example.com ip_protocol=ip4
ts=2023-09-08T10:01:58.169988786Z caller=grpc.go:146 module=grpc target=http://subdomain.example.com level=info msg="Resolved target address" target=subdomain.example.com ip=3.4.5.6
ts=2023-09-08T10:01:58.170049622Z caller=main.go:144 module=grpc target=http://subdomain.example.com level=debug msg="Dialing GRPC without TLS"
ts=2023-09-08T10:01:58.4245876Z caller=main.go:144 module=grpc target=http://subdomain.example.com level=debug connectthegrpcserversuccessfully=(MISSING)
ts=2023-09-08T10:01:58.42468521Z caller=main.go:352 module=grpc target=http://subdomain.example.com level=info msg="Probe succeeded" duration_seconds=0.256492572

Metrics that would have been returned:
# HELP probe_dns_lookup_time_seconds Returns the time taken for probe dns lookup in seconds
# TYPE probe_dns_lookup_time_seconds gauge
probe_dns_lookup_time_seconds 0.001670198
# HELP probe_duration_seconds Returns how long the probe took to complete in seconds
# TYPE probe_duration_seconds gauge
probe_duration_seconds 0.256492572
# HELP probe_grpc_duration_seconds Duration of gRPC request by phase
# TYPE probe_grpc_duration_seconds gauge
probe_grpc_duration_seconds{phase="check"} 0.25452599
probe_grpc_duration_seconds{phase="resolve"} 0.001670198
# HELP probe_grpc_healthcheck_response Response HealthCheck response
# TYPE probe_grpc_healthcheck_response gauge
probe_grpc_healthcheck_response{serving_status="NOT_SERVING"} 0
probe_grpc_healthcheck_response{serving_status="SERVICE_UNKNOWN"} 0
probe_grpc_healthcheck_response{serving_status="SERVING"} 1
probe_grpc_healthcheck_response{serving_status="UNKNOWN"} 0
# HELP probe_grpc_ssl Indicates if SSL was used for the connection
# TYPE probe_grpc_ssl gauge
probe_grpc_ssl 0
# HELP probe_grpc_status_code Response gRPC status code
# TYPE probe_grpc_status_code gauge
probe_grpc_status_code 0
# HELP probe_ip_addr_hash Specifies the hash of IP address. It's useful to detect if the IP address changes.
# TYPE probe_ip_addr_hash gauge
probe_ip_addr_hash 4.054344864e+09
# HELP probe_ip_protocol Specifies whether probe ip protocol is IP4 or IP6
# TYPE probe_ip_protocol gauge
probe_ip_protocol 4
# HELP probe_ssl_earliest_cert_expiry Returns earliest SSL cert expiry in unixtime
# TYPE probe_ssl_earliest_cert_expiry gauge
probe_ssl_earliest_cert_expiry 0
# HELP probe_success Displays whether or not the probe was a success
# TYPE probe_success gauge
probe_success 1



Module configuration:
prober: grpc
timeout: 8s
http:
    ip_protocol_fallback: true
    follow_redirects: true
    enable_http2: true
tcp:
    ip_protocol_fallback: true
icmp:
    ip_protocol_fallback: true
    ttl: 64
dns:
    ip_protocol_fallback: true
    recursion_desired: true
grpc:
    ip_protocol_fallback: true
    preferred_ip_protocol: ip4

ssl is disabled

probe_grpc_ssl 0

but the expiry metric is still emited

probe_ssl_earliest_cert_expiry 0

which causes alerts such as probe_ssl_earliest_cert_expiry - time() < 86400 * 1 to be triggered

on the HTTP module I do not see that metric being emitted when TLS is disabled, that would be the expected behavior