search

ribbybibby / ssl_exporter

Exports Prometheus metrics for TLS certificates
Apache License 2.0
507 stars 95 forks source link

how to probe https non 443 port e.g (https://example.com:1122) #58

Closed tahir59 closed 3 years ago

ribbybibby commented 3 years ago

Hi @tahir59. This should work:

scrape_configs:
  - job_name: 'ssl'
    metrics_path: /probe
    params:
      module: ["https"]
    static_configs:
      - targets:
        - 'https://example.com:1122'
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: 127.0.0.1:9219  # SSL exporter.

Assuming that 'https://example.com:1122' is changed to a valid host and port combination and 127.0.0.1:9219 is the address of your ssl exporter instance.

tahir59 commented 3 years ago

Hi @ribbybibby, refer the log below

cert-exporter-2_1 | time="2020-11-13T08:14:15Z" level=error msg="error=Get \"https://consul.test.local:8501\": x509: certificate signed by unknown authority target=https://consul.test.local:8501 prober=https timeout=10s" source="ssl_exporter.go:91"

ribbybibby commented 3 years ago 
"error=Get "https://consul.test.local:8501\": x509: certificate signed by unknown authority

This probably means the ssl_exporter doesn't have access to the CA cert that issued the certificate for consul.test.local. You either need to install it into the system certs where ssl_exporter is running, or pass it explicitly with tls_config.ca_file in a custom module configuration.

modules:
  https_consul:
    prober: https
    tls_config:
      ca_file: /etc/tls/ca.crt

https://github.com/ribbybibby/ssl_exporter#configuration-file https://github.com/ribbybibby/ssl_exporter/blob/master/examples/ssl_exporter.yaml

tahir59 commented 3 years ago

docker run -p 9219:9219 ribbybibby/ssl-exporter:latest --config.file="./ssl_exporter.yaml" time="2020-11-13T10:28:04Z" level=fatal msg="error reading config file: open ./ssl_exporter.yaml: no such file or directory" source="ssl_exporter.go:370"

ribbybibby commented 3 years ago

You need to mount the file in the container:

docker run -p 9219:9219 -v ${PWD}/ssl_exporter.yaml:/ssl_exporter.yaml ribbybibby/ssl-exporter:latest --config.file="./ssl_exporter.yaml"
tahir59 commented 3 years ago

I think some issue with ssl_exporter.yaml

docker run -p 9219:9219 -v ${PWD}/ssl_exporter.yaml:/ssl_exporter.yaml ribbybibby/ssl-exporter:latest --config.file="./ssl_exporter.yaml" time="2020-11-16T03:29:04Z" level=fatal msg="error parsing config file: yaml: unmarshal errors:\n line 14: field timeout not found in type config.Module" source="ssl_exporter.go:370"

ribbybibby commented 3 years ago

The timeout field on the master branch has not been released yet. Remove it for now or run the master tag of the docker image:

ribbybibby/ssl-exporter:master
tahir59 commented 3 years ago

after mounting the CA cert, I need to run "update-ca-trust", how can I do it.

ribbybibby commented 3 years ago

I think the general approach would be to generate the certificate bundle with update-ca-trust or update-ca-certificates or whatever in another container or on your host itself and then mount that in the ssl_exporter container.

There's an example of doing that in Kubernetes with an initContainer here: https://github.com/ribbybibby/ssl_exporter/issues/12#issuecomment-562966945.

For docker you might be able to use volumes: https://www.digitalocean.com/community/tutorials/how-to-share-data-between-docker-containers. I've never really used that feature though so I can't be sure of that.

tahir59 commented 3 years ago

I figured out a way and it worked, no need to run update-ca-certificates.

ribbybibby commented 3 years ago

@tahir59 Glad to hear it!