search

prometheus / blackbox_exporter

Blackbox prober exporter
https://prometheus.io
Apache License 2.0
4.7k stars 1.05k forks source link

[Error] local error: tls: no renegotiation #593

Open amandahla opened 4 years ago

amandahla commented 4 years ago

Hi.

I'm trying to monitor a URL but I get "local error: tls: no renegotiation" even with "insecure_skip_verify: true" set.

What can I do?

Host operating system: output of uname -a

Linux 3.10.0-1062.12.1.el7.x86_64 #1 SMP Tue Feb 4 23:02:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

blackbox_exporter version: output of blackbox_exporter -version

blackbox_exporter, version 0.16.0 (branch: HEAD, revision: 991f89846ae10db22a3933356a7d196642fcb9a9) build user: root@64f600555645 build date: 20191111-16:27:24 go version: go1.13.4

What is the blackbox.yml module config.

prober: http
timeout: 1m0s
http:
    valid_status_codes:
      - 200
      - 302
    preferred_ip_protocol: ip4
    ip_protocol_fallback: true
    method: GET
    tls_config:
        insecure_skip_verify: true

What logging output did you get from adding &debug=true to the probe URL?

ts=2020-04-06T19:00:39.763170832Z caller=main.go:304 module=http_2xx target=https://myurl/ level=info msg="Beginning probe" probe=http timeout_seconds=60
ts=2020-04-06T19:00:39.763352392Z caller=http.go:318 module=http_2xx target=https://myurl/ level=info msg="Resolving target address" ip_protocol=ip4
ts=2020-04-06T19:00:39.763378579Z caller=http.go:318 module=http_2xx target=https://myurl/ level=info msg="Resolved target address" ip=myurl
ts=2020-04-06T19:00:39.763437177Z caller=client.go:250 module=http_2xx target=https://myurl/ level=info msg="Making HTTP request" url=https://myurl/ host=myurl
ts=2020-04-06T19:00:39.789910384Z caller=main.go:119 module=http_2xx target=https://myurl/ level=error msg="Error for HTTP request" err="Get https://myurl/: local error: tls: no renegotiation"
ts=2020-04-06T19:00:39.78998463Z caller=main.go:119 module=http_2xx target=https://myurl/ level=info msg="Response timings for roundtrip" roundtrip=0 start=2020-04-06T16:00:39.76352743-03:00 dnsDone=2020-04-06T16:00:39.76352743-03:00 connectDone=2020-04-06T16:00:39.766079065-03:00 gotConn=2020-04-06T16:00:39.785885039-03:00 responseStart=0001-01-01T00:00:00Z end=0001-01-01T00:00:00Z
ts=2020-04-06T19:00:39.790031837Z caller=main.go:304 module=http_2xx target=https://myurl/ level=error msg="Probe failed" duration_seconds=0.026774982

What did you do that produced an error?

Monitoring using Prometheus

What did you expect to see?

probe_success 1

What did you see instead?

probe_success 0

brian-brazil commented 4 years ago

Your endpoint is mandating a niche TLS feature which many implementations don't implement and which is discouraged for security reasons. This is a true positive, your endpoint shouldn't require this - but if you do have more niche TLS or HTTP needs a quick custom script for monitoring would be the way to handle it.

pelov commented 3 years ago

We are facing a similar issue - probing a TLS endpoint which requires TLS renegotiation.

So, I was wondering if there is actually any chance that this feature gets supported and what would be the right way of doing it? I figured that the TLS config actually comes from github.com/prometheus/common/config and some time ago there was even an issue with a pull request but it was dropped. So, is that the right way of fixing this issue?

I am considering making a fork of the blackbox exporter, making a local copy of the prometheus/common/config and applying the renegotiation patch from prometheus/common#221. I think this will solve our problem but I am also willing to help adding this feature to blackbox/prometheus.

brian-brazil commented 3 years ago

Given that this is unwise in security terms and such an endpoint is arguably broken, there's no plans to support this.