diff --git a/service/prometheus.md b/service/prometheus.md
index f9cf4cd2af5e02f2ef8928d3c7c30936f1927439..42194d916e2d64060b88020898df5ea59114547e 100644
--- a/service/prometheus.md
+++ b/service/prometheus.md
@@ -560,6 +560,21 @@ with the same value since that label is used in alerts and graphs to display
 information. Finally, the `__address__` label is overridden with the address
 where Prometheus can reach the exporter.
 
+#### Known pitfalls with blackbox scrape jobs
+
+Some tests that can be performed with blackbox exporter can have some pitfalls,
+cases where the monitoring is not doing what you'd expect and thus we're not
+receiving the information required for proper monitoring. This is a list of some
+known issues that you should look out for:
+
+- With the `http` module, if you let it follow redirections it simplifies some
+  checks. However, this has the potential side-effect that the metrics
+  associated with the SSL certificate for that check does _not_ contain
+  information about the certificate of the domain name of the target, but rather
+  about the certificate for the domain last visited (after following
+  redirections). So certificate expiration alerts will not be alerting about
+  the right thing!
+
 #### Targets
 
 TPA-managed services use puppet exported resources in the appropriate profiles.