From 9152fec321e04cade6604984bb583c68c489e32b Mon Sep 17 00:00:00 2001
From: Gabriel Filion <lelutin@torproject.org>
Date: Wed, 6 Nov 2024 16:20:13 -0500
Subject: [PATCH] Document a known pitfall with blackbox's http module

---
 service/prometheus.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/service/prometheus.md b/service/prometheus.md
index f9cf4cd2..42194d91 100644
--- a/service/prometheus.md
+++ b/service/prometheus.md
@@ -560,6 +560,21 @@ with the same value since that label is used in alerts and graphs to display
 information. Finally, the `__address__` label is overridden with the address
 where Prometheus can reach the exporter.
 
+#### Known pitfalls with blackbox scrape jobs
+
+Some tests that can be performed with blackbox exporter can have some pitfalls,
+cases where the monitoring is not doing what you'd expect and thus we're not
+receiving the information required for proper monitoring. This is a list of some
+known issues that you should look out for:
+
+- With the `http` module, if you let it follow redirections it simplifies some
+  checks. However, this has the potential side-effect that the metrics
+  associated with the SSL certificate for that check does _not_ contain
+  information about the certificate of the domain name of the target, but rather
+  about the certificate for the domain last visited (after following
+  redirections). So certificate expiration alerts will not be alerting about
+  the right thing!
+
 #### Targets
 
 TPA-managed services use puppet exported resources in the appropriate profiles.
-- 
GitLab