Share this post:
Configuring Certificate Manager to post alerts to PagerDuty
Certificate Manager is a service that helps you centrally manage SSL/TLS certificates for your apps and services. Certificate Manager keeps track of when your certificates expire, serves as a secure repository for SSL/TLS certificates and keys, and helps you securely deploy certificates to your Cloud apps.
Expired certificates can lead to service outages. To address this problem, Certificate Manager can send you proactive notifications before your certificates expire so that you will remember to renew your certificates on time. In a previous blog, we showed you how to configure Certificate Manager to post notifications to your Slack channel. In another blog, we demonstrated how to use the Certificate Manager callback URL feature to automatically open Github tasks about expiring certificates. We’ve been asked to share an additional sample that shows how to configure Certificate Manager to post alerts to PagerDuty.
In this article, we will discuss how to implement a callback URL to generate PagerDuty alerts for expiring certificates. The callback function is implemented as a Cloud Function using IBM Cloud Functions—an event-driven compute service.
Implementing the flow
Step 1. Create an integration key in PagerDuty for your service
Before we begin with the code, we’ll need to get an integration key for your service from PagerDuty. To create an integration key, follow the steps below:
- Log in to your PagerDuty console.
- Select the Configuration menu and then select Services.
- Search and select your service.
- Open the service page.
- Select the Integrations tab.
- Click Add New Integration.
- Provide a Name for the integration.
- Select Integration Type as IBM Bluemix.
- Click Add Integration.
- Make note of the Integration Key created for the new integration.
Step 2. Create the Cloud Function
We’ll start with creating a Cloud Function. A Cloud Function is a piece of code that runs in response to a trigger so that you don’t have to pay for or maintain servers while they are idle. To create a Cloud Function, go to the Functions dashboard in IBM Cloud, select the Actions tab, click the Create button, and then click Create a new action. Give the action a name, chose the default package, select a Node.js runtime (the sample code in this blog is compatible with Node.js 8), and click the Create button. Now you are ready to add the code to your Cloud Function.
Download the full code here and copy into the cloud function code section (the example code has been updated to use the latest notification format).
See our previous example of working with Certificate Manager callback URL and explanation about four functions in this code.
In our case the
main function creates and sends an alert to PagerDuty.
Replace the service_key in the pdparams variable with the integration key generated in Step 1.
Step 3. Create the callback URL
Once the Cloud Function is ready, we need to make it available over the net. Select Endpoints from the left nav of the Cloud Functions UI, check the Enable as Web Function checkbox, and click the Save button. Copy the URL that was added at the bottom of the Web Action section.
Step 4: Add notification channel
The last thing left to do is to connect this Web Action to the Certificate Manager notifications mechanism. Open your Certificate Manager dashboard and select Settings from the left nav. Click the Add Notification Channel button, choose callback url from the channel type drop-down, enter the URL we copied from Cloud Functions, and click the Save button.
Once the channel is saved, you will see it in the notification channel list. You can test your setup by clicking the test connection button. This should trigger a PagerDuty alert if everything is set up correctly.
Step 5: Testing the integration—End to End
Create a self-signed certificate that expires in 10 days and import that into Certificate Manager. You can use the below openssl command for the purpose:
openssl req -x509 -newkey rsa:1024 -keyout key.pem -subj "/CN=appdomain.com" -out server.pem -days 10 -nodes
Import the certificate into your Certificate Manager instance. This will trigger a PagerDuty alert and incident against your service for the certificate expiring in 10 days.
PagerDuty alerts will be triggered from now on for all your certificates nearing expiration.