Looking for the perfect Dashboard: InfluxDB, Telegraf, and Grafana – Part XX (Monitoring SSL Certificates x.509)

Greetings friends, during these last years we have seen how to monitor all kinds of services with Grafana, InfluxDB, and Telegraf, such as VMware vSphere, Linux, Windows, Veeam and more. Today I bring you one of these entries that are extremely useful and simple at the same time.

I’m talking about how to monitor your SSL certificates, yours or any manufacturer’s, URLs, etc. So that we can avoid failure like the one Microsoft had just a few days ago when an SSL certificate expired due to being a leap year.

Telegraf, InfluxDB and Grafana topology monitoring SSL

Although I have already shown you some times the diagram of how would be the monitoring using Telegraf, Grafana, and InfluxDB, I leave you again the diagram, this time monitoring SSL:

How to activate Telegraf’s native input to monitor SSL Certificates x.509

Luckily for us, Telegraf already brings natively an input (plugin) to monitor the status of SSL x.509 certificates, we will be able to monitor the following, which is certainly more than complete for our purpose:


  • tags:
    • source – source of the certificate
    • organization
    • organizational_unit
    • country
    • province
    • locality
    • verification
    • serial_number
    • signature_algorithm
    • public_key_algorithm
    • issuer_common_name
    • issuer_serial_number
    • san
  • fields:
    • verification_code (int)
    • verification_error (string)
    • expiry (int, seconds)
    • age (int, seconds)
    • startdate (int, seconds)
    • enddate (int, seconds)

To activate it, it will be as simple as editing the telegraf.conf, or better, creating a new file in /etc/telegraf/telegraf.d/ssl.conf, and inside we will introduce the following:

sources = ["https://TUURL1:443/", "https://TUURL2:443/", "TUURL3:8443/", "tcp://TUAPPQUEESCUCHAPORTCP:8086/"]
insecure_skip_verify = true

Once we have all the URLs added, we will restart the telegraph service:

telegraf service restart

Checking that we are ingesting information with Chronograf

The normal thing at this point, if we have done all the steps well, is that we are already sending information collected by the script to InfluxDB, if we perform a search using the wonderful Chronograf, we can check that we have information:

All the variables of this input to monitor SSL are stored in x509_* so it is really easy to find them.

Grafana Dashboard

I created a Dashboard from scratch by selecting the best requests to the database, finishing off colors, thinking about graphics and how to display them, and everything is automated so that it fits our environment without any problem and without having to edit anything manually. The Dashboard can be found here, once imported, you can use the top drop-down menus to select between SSL:

Import Grafana Dashboards easily

So that you don’t have to waste hours configuring a new dashboard, and ingesting and debugging you want, I’ve already created four wonderful dashboards with everything you need to monitor our environment in a very simple way, it will look like the image I showed you above.

From our Graph, we will make Create – Import
Select the name you want and enter the ID: 11707, which is the unique ID of the Dashboard, or the URL:

Please leave your feedback in the comments.

If you want to see them working without installing anything, here is the link to my environment.

Just friends, I hope you like it, and I’d like to leave the whole series here:

That’s all folks, if you want to follow the full Blog series about Grafana, InfluxDB, Telegraf, please click on the next links:

Author: jorgeuk

Father, writing in https://www.jorgedelacruz.es and https://jorgedelacruz.uk Blogger, Systems Engineer @veeam - vExpert 2014/2020 & NTC 2018/19

6 Thoughts

  1. Hi, thanks for another great guide!

    I have one question, I managed to get it running with a couple of URL’s but when I remove some of them from the ssl.conf and restart telegraf it doesn’t seem to remove it from the dashboard. They just show up as N/A now.

    How can I remove them from there?


  2. Hello Carl, you will need to delete the data from Influxdb, as they are SSL, you can delete the whole measurement I would say.

  3. Hola muchas gracias muy buena guiá y data.
    Tienen algún ejemplo para monitorear varios dominios.
    No pude dar con la información correcta de como agregar mas dominios. gracias.

  4. Saludos Jeronimo, si claro, solo pon los diferentes dominios en el fichero de configuracion, debe funcionar bien. O te refieres a un SSL con multidominio?

  5. Hi,

    After implementing, it worked but after page reload the expiry date values changes…becomes inconsistent and outright wrong in most cases, is anyone experiencing same?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.