feat(alertd): caddy certificate expiry check#495
Merged
Conversation
passcod
force-pushed
the
alertd-caddy-certs
branch
3 times, most recently
from
96d6537 to
a9ebe1e
Compare
Caddy auto-renews managed certs well before expiry, so a cert nearing expiry means renewal is failing — invisible until the site goes down. Reads caddy on- disk cert store and flags two signals: expiry, with thresholds scaled to each cert lifetime (anchored on warn 21d / fail 7d for 90-day certs, so 45-day and 6-day profiles get proportionally shorter windows); and a served-vs-on-disk mismatch, detected by a TLS handshake dialed straight at 127.0.0.1 (the SNI selects the vhost but the connection never leaves the box) comparing the served leaf against disk — a mismatch means caddy needs a reload to pick up a renewal. Skips when caddy cert store is not found. Promotes already-transitive rustls / tokio-rustls / x509-parser to direct deps; no new crates pulled. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
passcod
force-pushed
the
alertd-caddy-certs
branch
from
a9ebe1e to
c9b3e57
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 New alertd healthcheck
caddy_certs.Caddy auto-renews managed certs at roughly a third of their lifetime before expiry, so a cert nearing expiry means renewal is failing — invisible today until the site goes down. Reads caddy's on-disk cert store and flags two signals:
127.0.0.1:443(the SNI selects the vhost but the connection never leaves the box) reads the served leaf and compares it to disk. A mismatch means caddy is serving a stale cert and needs a reload to pick up a renewal — a warning.Wildcard-only certs skip the served comparison (no concrete SNI to dial). Handshake is timeout-bounded; a failed handshake is recorded, not alarmed. Skips entirely when caddy's cert store isn't found.
Promotes already-transitive
rustls/tokio-rustls/x509-parserto direct deps — no new crates enter the tree (Cargo.lock change is just the three dependency edges). Threshold scaling is a pureclassifyfn with tests for the 90/45/6-day profiles.