blackbox_exporter: Negative timestamps in probe_ssl_last_chain_expiry_timestamp_seconds

Are you using insecure_skip_verify: True? If so, you’ll see this value.

As a workaround, filter out this value in your PromQL expressions:

probe_ssl_last_chain_expiry_timestamp_seconds != -62135596800

or more simply (assuming you don’t have any certificates dating to before 1970):

probe_ssl_last_chain_expiry_timestamp_seconds > 0

what exactly is it that you’re trying to test here?

I don’t care that the container in which blackbox_exporter runs does not have the exact same CA bundle(s) that a normal client (Windows, Mac, Linux) running a typical browser (Chrome, Firefox, IE) would have, because those are subject to corporate policies that distribute custom CAs across the organization.

However, I do care about the dates on the certificate(s) presented by the target, because those are definitely going to break users if they are in the past, even if they have the proper CA bundle.

Which was a fine strategy for the old metric probe_ssl_earliest_cert_expiry, but not with probe_ssl_last_chain_expiry_timestamp_seconds which requires validation.

I’m using the same root certificate to all my domains so I believe I can just add it like you’ve said:

Yes, ca_file: /path/to/cacert.pem where cacert.pem is the home-made root certificate you used to sign other certificates.