Add certificate monitor

Author: Federico Ceratto

ansible/roles/letsencrypt/tasks/main.yml

@@ -1,9 +1,9 @@
 ---
-- name: Install Letsencrypt certbot
+- name: Install certbot and Python library
   apt:
     name:
     - certbot
-    - python-certbot-nginx
+    - python3-prometheus-client
     state: latest
     update_cache: yes
     cache_valid_time: '{{ apt_cache_valid_time }}'
@@ -51,4 +51,33 @@
     name: certbot.timer
     state: started
     enabled: yes
+
+- name: Add certificate monitoring monitor_certs.py
+  template:
+    src: templates/monitor_certs.py
+    dest: /etc/ooni/monitor_certs.py
+    mode: 0755
+    owner: root
+
+- name: Install monitor_certs.service
+  template:
+    src: templates/monitor_certs.service
+    dest: /etc/systemd/system/monitor_certs.service
+    mode: 0755
+    owner: root
+
+- name: Add certificate monitoring monitor_certs.py
+  template:
+    src: templates/monitor_certs.timer
+    dest: /etc/systemd/system/monitor_certs.timer
+    mode: 0755
+    owner: root
+
+- name: enable timer for monitor_certs
+  systemd:
+    daemon_reload: yes
+    name: monitor_certs.timer
+    state: started
+    enabled: yes
+
 ...

ansible/roles/letsencrypt/templates/monitor_certs.py

@@ -0,0 +1,38 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""Monitor certbot certificates
+"""
+
+# Compatible with Python3.7 - linted with Black
+
+import subprocess
+from datetime import datetime, timezone
+
+import prometheus_client as prom
+
+NODEEXP_FN = "/run/nodeexp/monitor_certs.prom"
+
+
+def main():
+    prom_reg = prom.CollectorRegistry()
+    gauge = prom.Gauge("certificate_age", "", ["domain"], registry=prom_reg)
+    out = subprocess.check_output(["certbot", "certificates"])
+    out = out.decode("utf-8")
+    for line in out.splitlines():
+        if line.startswith("  Certificate Name: "):
+            domain_name = line.split()[-1]
+
+        elif line.startswith("    Expiry Date: "):
+            #    Expiry Date: 2020-09-12 08:16:47+00:00 (VALID: 79 days)
+            exp = line[17:42]
+            exp = datetime.strptime(exp, "%Y-%m-%d %H:%M:%S%z")
+            delta = exp - datetime.now(timezone.utc)
+            s = int(delta.total_seconds())
+            gauge.labels(domain_name).set(s)
+
+    prom.write_to_textfile(NODEEXP_FN, prom_reg)
+
+
+if __name__ == "__main__":
+    main()

ansible/roles/letsencrypt/templates/monitor_certs.service

@@ -0,0 +1,7 @@
+[Unit]
+Description=Run monitor_certs.py, activated by monitor_certs.timer
+
+[Service]
+Type=oneshot
+ExecStart=/etc/ooni/monitor_certs.py
+

ansible/roles/letsencrypt/templates/monitor_certs.timer

@@ -0,0 +1,9 @@
+[Unit]
+Description=Run monitor_certs.py at the beginning of every hour
+
+[Timer]
+OnCalendar=*-*-* *:00:00
+
+[Install]
+WantedBy=timers.target
+