This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

No log for certificate expiration in Certificate Manager

Posted on 12-04-2023 02:58 AM
sosonetwork
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello,

I would like to configure an alert for certificates provisioned by Certificate Manager which are expired and close to expiry.

I follow this documentation and tried the suggested alert query "logName = "projects/PROJECT_ID/logs/certificatemanager.googleapis.com%2Fcertificates_expiry" AND jsonPayload.state = "EXPIRED"" in Cloud Logging. I also create 2 log-based metrics with that query for jsonPayload.state = "EXPIRED" and jsonPayload.state = "CLOSE_TO_EXPIRY". I replaced PROJECT_ID with the ID of my project.

I did a test with a certificate and let it expire but I can't see any logs relative to that (close to expire or expired), I only have logs for the creation of the certificate. I am surprised because as mentionned in the documentation : "Certificate Manager logging is always enabled and only captures a minimal amount of information specifically related to certificate expiration."

Here are my two certificates:

sosonetwork_1-1701686619515.png

And the queries (without result) :

sosonetwork_2-1701686819712.png

sosonetwork_3-1701686917672.png

Thank you by advance !

Solved Solved
1 3 521
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @sosonetwork,

Welcome to the Google Cloud Community!

Can you try removing the syntax below from your query, just to verify if there are actually no logs?

AND jsonPayload.state = "EXPIRED"
AND jsonPayload.state = "CLOSE_TO_EXPIRY"

Since this is a configuration-based alert, it will only work if the Certificate Manager logs in Cloud Logging indicate that a certificate is close to expiration or has expired. You might want to create an issue in Google Cloud's public issue tracker regarding this matter.

Thank you. 

 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @sosonetwork,

Welcome to the Google Cloud Community!

Can you try removing the syntax below from your query, just to verify if there are actually no logs?

AND jsonPayload.state = "EXPIRED"
AND jsonPayload.state = "CLOSE_TO_EXPIRY"

Since this is a configuration-based alert, it will only work if the Certificate Manager logs in Cloud Logging indicate that a certificate is close to expiration or has expired. You might want to create an issue in Google Cloud's public issue tracker regarding this matter.

Thank you. 

 

Jump to Solution

Posted on --/--/---- --:-- AM
sosonetwork
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi lawrencenelson, thanks for you answer and sorry for the delay.

I actually had several certificates close to expiration and expired, then I reached the support at this time and they gave me right logs since.

Jump to Solution

Posted on --/--/---- --:-- AM
Evgeny94
Bronze 1
Bronze 1
In response to sosonetwork
Reply posted on --/--/---- --:-- AM

Hi,
I have the same problem can you elaborate on the solution they gave you?

Jump to Solution
Top Labels in this Space
Top Solution Authors
View all