Your monitoring and alerts remember things for you

January 24, 2021

On Twitter, I said:

Sure, this TLS certificate expires in 2030, and we might well not even be using the service it's for in five years. But that just makes it more important to monitor its expiry time; a decade is easily long enough for us to completely forget about the issue.

(There's a story behind my action.)

Just like scripts remember things for you, so do alerts and monitoring in general. It's vaguely possible that we'd remember to keep an eye on obscure self-signed TLS certificates that expire in a decade, but probably not, and anyway if we automate it that's one less thing to keep in our minds. As system administrators, we have a lot of things to keep track of, and as squishy humans, we can only keep track of so many of them before stuff gets dropped.

(Because someone is going to wonder, this particular self-signed certificate has to be manually registered with and approved by a third party before we can use it. Doing this even every year is not something we want to get into. Since the third party is happy to accept a TLS certificate with a very long lifetime, we'll use that.)

Of course what our monitoring and alerts remember can become obsolete over time. Fortunately, they generally come with built-in reminders about their existence, so eventually we will get prompted to remove or update them. Well, most of the time. If we switched to using another TLS certificate for this particular case but left the old one behind, our monitoring might not notice (for reasons, it has to look at the TLS certificate file instead of making a TLS connection to something). But this is still better than possibly completely forgetting about the TLS certificate.

(Alerts that are just there to make sure you remember something should normally be silent. If they're going off more than once in a blue moon, you probably have one of a number of problems.)

Written on 24 January 2021.
« Thinking through what can go badly with databases on ZFS
Time for Python 2 users to make sure we have a copy of Pip and other pieces »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 24 23:43:15 2021
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.