We use two different kind of TLS certificates:
- Let’s encrypt with automated renewal process
- Certificates with longer lifetime and manual renewal
As the manual process requires some time, we need higher thresholds for the warning. Is there a way to configure 30/10 days for WARN/CRIT for Let’s encrypt and 60/30 days for other certificates without having to explicitly select hosts in the rule?
Maybe you can give the smallest collection of hosts a host label to base your rule on for change of state configuration. Example:
maybe @r.sander’s data2label from Checkmk Exchange can even set the label for you, if you can detect which certificates are from let’s encrypt automatically :)?
Our SSL certificates extension sets service labels based on the issuer hash from the certificate. This way you can identify the Let’s Encrypt certs.
Thanks, that was what I searched for.