search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
520 stars 97 forks source link

client cert verify or local target #3

Closed xelite closed 5 years ago

xelite commented 5 years ago

I want checking my docker and consul certs with ssl_exporter, but i've got client verify enabled on server side. Is it possible to configure client cert or set target at local filesystem? Currently i've got error in log:

 remote error: tls: bad certificate" source="ssl_exporter.go:92"

I can reproduce this with curl:

$ curl -k https://my.node.qa.project:2376
curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

# correct conection
$ # curl -I --cacert ca.pem --cert server.pem --key server.key https://my.node.qa.project:2376
HTTP/1.1 404 Not Found
Content-Type: application/json
Date: Fri, 08 Mar 2019 13:28:02 GMT
Content-Length: 29
ribbybibby commented 5 years ago

Thanks for the issue @xelite. This is definitely a use case I'd be happy for the ssl_exporter to support, although I think the implementation requires some thought.

First of all, I'm not very familiar with client authentication, so I'll have to do a bit of reading into it and maybe set it up in a lab.

Secondly, I'm wondering what would be the best way to provide the client certificate to the exporter? Where possible I always try to avoid dependencies on local files for Prometheus exporters but it's definitely problematic to pass it as an argument during the scrape.

However, if we were to pass the location of the cert to the exporter as a flag, we'd be limiting one instance of the exporter to one client cert, which would remove the ability of the exporter to scrape multiple servers that require different client certificates. This would be fine if you were to run one ssl_exporter per target, or one ssl_exporter per root certificate/service but not in the case where someone is using a single ssl_exporter to scrape a range of targets.

ribbybibby commented 5 years ago

@xelite I've made an initial stab at this on this branch. Can you try it out and let me know if it solves your problem? I've tested against a local consul server and it seems to work for me.

$ ./ssl_exporter --tls.client-auth --tls.cacert ca.pem --tls.cert server.pem --tls.key server.key
xelite commented 5 years ago

@ribbybibby I've tested branch #3 and its working well. Exporter can connect to endpoints with enabled and disabled client verify. IMO you can merge it to master and close this issue. Good work! Thank you.

ribbybibby commented 5 years ago

Great, thanks @xelite. I've merged to master and cut a new release: v0.4.0.