search

prometheus-community / postgres_exporter

A PostgreSQL metric exporter for Prometheus
Apache License 2.0
2.71k stars 722 forks source link

exporter not working with ssl certificates #477

Open cah-jyoti-prakash opened 3 years ago

cah-jyoti-prakash commented 3 years ago

I am not able to connect. FYI - I need to use ssl "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem"

I can login to my psotgres using my credentials and above mentioned certificate through pgadmin client but not through exporter, also exporter does not through any error just info message

Command I run is: docker run -v C:\mycert:/etc/ssl/certs --net=host -e DATA_SOURCE_NAME="postgresql://postgres:password@xx.xx.xx.xx:5432/postgres?sslmode=require" wrouesnel/postgresexporter time="2021-02-17T06:01:03Z" level=info msg="Starting Server: :9187" source="postgres_exporter.go:1825"_

cah-jyoti-prakash commented 3 years ago

I am trying this on GCP cloud SQL postgres

cah-jyoti-prakash commented 3 years ago

tried this but did not work, :-( docker run -v C:\mycert:/etc/ssl/certs --net=host -eDATA_SOURCE_NAME="postgresql://postgres:password@xx.xx.xx.xx:5432/postgres?sslmode=verify-ca&sslrootcert=/etc/ssl/certs/server-ca.pem&sslcert=/etc/ssl/certs/client-cert.pem&sslkey=/etc/ssl/certs/client-key.pem" wrouesnel/postgres_exporter

LukeStanislawski commented 3 years ago

I'm having an issue that may be the same. I am trying to authenticate using certificates with the following DATA_SOURCE_NAME: postgresql://<USER>@<HOST>:5432/<DB_NAME>?ssl=true&sslmode=verify-full&sslrootcert=cachain.pem&sslcert=client_chain.pem&sslkey=client_key.pem

However it seems that the exporter is still attempting to authenticate using a password rather than with certificates: INFO[9366] Error opening connection to database (postgresql://<USER>@<HOST>:5432/<DB_NAME>?ssl=true&sslmode=verify-full&sslrootcert=cachain.pem&sslcert=client_chain.pem&sslkey=client_key.pem): pq: password authentication failed for user "<USER>" source="postgres_exporter.go:1070"

I also see the same behaviour with sslmode=require and sslmode=verify-ca.

Additionally I am able to connect if I provide a valid password in the string with: postgresql://<USER>:<PASSWORD>@<HOST>:5432/<DB_NAME>?ssl=true&sslmode=verify-full&sslrootcert=cachain.pem&sslcert=client_chain.pem&sslkey=client_key.pem

I have confirmed that the client is validating the DB certificates successfully.

amleshk66 commented 2 years ago

i am also facing authentication issues.

I want to configure SSL and Authentication between PostgresSQL expoter and Prometheus . Can anyone help in this

bitstreambiker commented 1 year ago

Has anyone been able to get this to work with TLS and sslmode=verify-ca?

stewartshea commented 1 year ago

Looking at the code, it looks like the exporter is built with the idea to support multiple auth modules but only userpass is supported today, as far as I can tell.

https://github.dev/prometheus-community/postgres_exporter/blob/44aab362f065cd537b21cd01dc779ef0cb04d14c/config/config.go#L45-L50

https://github.dev/prometheus-community/postgres_exporter/blob/44aab362f065cd537b21cd01dc779ef0cb04d14c/cmd/postgres_exporter/probe.go#L39-L61

duj4 commented 1 year ago

Guys, I am able to connect the exporter to PG via tls, but I am using Grafana-agent instead of native PG exporter, here is my way:

data_source_names:
  - "postgresql://<pg hostname>:<port>/<dbname>?sslmode=require&sslrootcert=<path to ca>&sslcert=<path to user-to-connect-pg cert>&sslkey=<path to user-to-connect-pg key>"