Document difference between ssl_expiry metrics

blackbox-exporter currently offers two metrics to
measure when TLS Certificates will expire.

The difference between them is very subtle, but
using `probe_ssl_earliest_cert_expiry`
for checking whether a certificate is due to
replacement can lead to false positive alerts.

This documents the difference between those two.

Generally `probe_ssl_last_chain_expiry_timestamp_seconds`
seems to be what most people would want to use.

Signed-off-by: Tobias Guggenmos <[email protected]>

Author: slrtbtfs

prober/prober.go

@@ -25,8 +25,8 @@ import (
 type ProbeFn func(ctx context.Context, target string, config config.Module, registry *prometheus.Registry, logger *slog.Logger) bool
 
 const (
-	helpSSLEarliestCertExpiry     = "Returns last SSL chain expiry in unixtime"
-	helpSSLChainExpiryInTimeStamp = "Returns last SSL chain expiry in timestamp"
+	helpSSLEarliestCertExpiry     = "Returns the earliest expiry of any peer certificate returned by the server as an unix timestamp. This can include certificates that are not validated by TLS clients. In rare server configurations this might return a time in the past, even for valid TLS certificate chains."
+	helpSSLChainExpiryInTimeStamp = "Returns the earliest expiry of any validated TLS certificate as an unix timestamp. This indicates the time when connections will start to fail, unless a certificate is renewed."
 	helpProbeTLSInfo              = "Returns the TLS version used or NaN when unknown"
 	helpProbeTLSCipher            = "Returns the TLS cipher negotiated during handshake"
 )