Please add support for custom CA certificates

[AngryMandragora]

I have a cluster that web server certificates signed by a custom CA and the method you describe in the documentation doesn't work for Docker without creating my own image (which I want to avoid, since that kind of nullifies the advantage of using a provided Docker image). I don't want to disable TLS_VERIFY since we are using a proper infrastructure. Could you add an option to use a specific CA certificate chain for a server (like ca_certificate_file or something)?

[godber]

It should be possible to add custom CA certs to the system hosting your exporter ... the README states:

When operating PVE with self-signed certificates, then it is necessary to either import the certificate into the local trust store (see this SE answer for Debian/Ubuntu) or add verify_ssl: false to the config dict as a sibling to the credentials. Note that PVE supports Let's Encrypt out ouf the box. In many cases setting up trusted certificates is the better option than operating with self-signed certs.

This looks about right:

https://askubuntu.com/questions/1007233/importing-root-ca-certificate-in-linux/1007236#1007236

[AngryMandragora]

In case of Docker the host OS' certificate doesn't matter, and I don't want to add it to the Docker image as stated above.

[znerol]

There is little reason to muck around with the certificate trust store on an application level. I recommend to solve this issue using either a volume or a bind mount in order modify or replace /etc/ssl/certs inside the container. Please use stackoverflow or your favorite container runtime community (podman, k8s, docker) to get help with that.

[AngryMandragora]

It's not about the certificate trust store, that's exactly what I want to avoid. It's about using a specific CA certificate to connect to a specific server. Just like the case with SSL exporter for Prometheus (https://github.com/ribbybibby/ssl_exporter):

<tls_config>
# The CA cert to use for the targets.
[ ca_file: <filename> ]

[AngryMandragora]

Here's an example from SSL exporter (the config we're using, names changed of course):

default_module: https
modules:
  https:
    prober: https
  https_domain_one:
    prober: https
    tls_config:
      ca_file: /etc/ssl_exporter/domain_one.crt
  https_domain_two:
    prober: https
    tls_config:
      ca_file: /etc/ssl_exporter/domain_two.crt
  https_sectigo:
    prober: https
    tls_config:
      ca_file: /etc/ssl_exporter/sectigo.crt
  tcp_insecure:
    prober: tcp
    tls_config:
      insecure_skip_verify: true

[AngryMandragora]

This way you don't have to change anything inside a Docker container (Debian needs to have links to the certificates in the same directory, pointing to them with their checksum as extension), you can just bind mount files (or a directory containing all of them) and tell the exporter where they are in the config file. Managing this is way easier with automation tools (Ansible in our case).

[AngryMandragora]

In the end, the YAML file for PVE Exporter could look like this:

default:
    user: "prometheus@pve"
    token_name: "prometheus"
    token_value: "TOKEN"
    verify_ssl: true
    ca_file: <filename>