How monitoring the certificate of the Ingress Nginx?

David Fernández
2 min readMay 3, 2020


A few days ago, I had some problems with the auto renewal of certificate SSL. Because of this, I was curious to know how to monitor the certificate of all Ingress Nginx on Kubernetes. I could have applied Blackbox Exporter but didn't have much time to research on that. So what could I do?


dilbert think

After some duckducking, I found that the metrics of Prometheus Ingress Nginx, give us ones for knowing the expiration time of out SSL certificate for one or all of ingress created inside the cluster.

ingress nginx + prometheus

This metric is nginx_ingress_controller_ssl_expire_time_seconds. That one returns the expiration time in seconds, so we have to do a convertion from days to seconds. You can use Duckduckgo for the conversion, for example when seconds is 25 days. The result is 2160000 and alert’s is

avg(nginx_ingress_controller_ssl_expire_time_seconds{ingress=~”.*”}) by (host) — time() < 2160000

This rule return the average of time all certificate for each host that expire within of 25 days.

And thats it!
Thanks for reading and for more information you can search the subject ‘How to configure of rules and firing alert with alertmanager’ in the Prometheus documentation.