HTTP Config does not allow setting RootCAs?

[AlexandarY]

Hey!

I'm looking into setting HTTPS + TLS Client Certificates from exporter_exporter to a target exporter with a custom Certificate Authority, but it appears that the custom Certificate Authority certificate is not included in the RootCAs pool of the proxy client.

I did a test with node_exporter and the following expexp.yaml config:

modules:
  node:
    method: http
    http:
      scheme: https
      port: 9100
      address: test-instance
      tls_cert_file: /etc/prometheus/ssl/test-instance.client.pem
      tls_key_file: /etc/prometheus/ssl/test-instance.client.key
      tls_ca_cert_file: /etc/prometheus/ssl/client-ca.pem

and on node_exporter's end the following web-config.yaml

tls_server_config:
  cert_file: /etc/prometheus/ssl/node-exporter.server.pem
  key_file: /etc/prometheus/ssl/node-exporter.server.key
  client_ca_file: /etc/prometheus/ssl/client-ca.pem
  client_auth_type: RequireAndVerifyClientCert

Running a request to /proxy?module=node logs the following error:

msg="Proxy error for module 'node': x509: certificate signed by unknown authority"

A workaround appears to be if I set in expexp.yaml the tls_insecure_skip_verify: to true, but as per go's docs, that is not a good idea.

My question is, is this expected to work this way or am I misunderstanding something?

[AlexandarY]

I submitted a PR , which would allow a per http module inclusion of additional Root CA certificates to the Root CA pool used by the http proxy client. Also added the ability to specify the ServerName that is used to validate the server tls certificate. This would allow to handle cases, where you want the address to be an IP address, but not include the IP in the TLS certificate.

modules:
  node:
    method: http
    http:
      scheme: https
      port: 9100
      address: 127.0.0.1
      server_name: test.com

PR: https://github.com/QubitProducts/exporter_exporter/pull/98

[tcolgate]

Closed via #98