Closed gevraud closed 2 years ago
The exporter needs the CA certificate of the self signed certificates in order to verify them.
You can either install the CA certificate into the system certs where the exporter is running, or you can explicitly point to it in a module in the configuration file:
modules:
https_self_signed:
prober: https
tls_config:
ca_file: <path to the ca cert>
Another option would be to disable verification altogether:
modules:
https_insecure:
prober: https
tls_config:
insecure_skip_verify: true
Refer to the example configuration file.
Hello,
Thx for answer.
In fact, I am monitoring self-signed cert and known CA certs.
So should I do 2 targets in prometheus ? One for self-signed and one for known CA certs ?
Regards
Depends on your approach. If you install your root certificate on the system, then you won't need different targets because the self-signed root will be bundled with all the other roots.
If you're using ca_file
to point at the root, then yes, you'd have two modules:
modules:
https:
prober: https
https_self_signed:
prober: https
tls_config:
ca_file: <path to the ca cert>
And then scrape them separately:
- job_name: 'ssl-checker'
metrics_path: /probe
params:
module: ["https"]
static_configs:
- targets:
- 'xxx.com:443'
...
- job_name: 'ssl-checker-self-signed'
metrics_path: /probe
params:
module: ["https_self_signed"]
static_configs:
- targets:
- 'yyy.com:443'
I'll try this.
Thx for your help
Hi,
I tried and I got error 400 on all targets.
- job_name: 'ssl-checker-self-signed'
scrape_interval: 1h
metrics_path: /probe
params:
module: ["https_self_signed"]
static_configs:
- targets:
- 'xxx.com:443'
any idea ?
Regards
Are you also configuring the required relabel_configs
as set out in the README?
yes
Here is the config :
- job_name: 'ssl-checker-self-signed'
scrape_interval: 1h
metrics_path: /probe
params:
module: ["https_self_signed"]
static_configs:
- targets:
- 'aaa.lan:443'
- 'xxx.com:443'
relabel_configs:
- source_labels: [__address__]
target_label: __param_target
- source_labels: [__param_target]
target_label: instance
- target_label: __address__
replacement: ssl-check-exporter-service:9219
What does your ssl_exporter config look like? Are you getting any errors in the ssl_exporter logs?
yes some logs .
x509: certificate signed by unknown authority
As this is self signed, I guess this is ok ?
No, that's not okay. If you've configured your https_self_signed
module with a valid CA cert for your self signed certificates (or set insecure_skip_verify: true
) then you shouldn't receive that error.
To be honest, this is probably a separate issue to the 400 responses. If you're getting 400 responses from the ssl_exporter then that probably means you're requesting a module that doesn't exist.
What response do you get if you run the following curl?
curl 'ssl-check-exporter-service:9219/probe?target=aaa.lan:443&module=https_self_signed'
What does your ssl_exporter module config look like?
it seems I get a timeout when trying to curl the service. I'll ask network team.
I didn't create any config for the exporter container itself. I just pulled and run the image
I didn't create any config for the exporter container itself. I just pulled and run the image
You are going to have to configure the exporter for this to work:
modules:
https:
prober: https
https_self_signed:
prober: https
tls_config:
ca_file: <path to the ca cert> # Change this to the path to your CA cert
--config.file=<path to your config file>
I can't do that as I am monitoring public site certs owned by our clients.
By the way, how many targets can the exporter monitor ? I have 180 targets.
I can't do that as I am monitoring public site certs owned by our clients.
The limitation being that you don't have the CA certificate for their self signed certs? Will they not supply it to you?
Otherwise, you could use this config to ignore the cert failures:
modules:
https:
prober: https
https_self_signed:
prober: https
tls_config:
insecure_skip_verify: true
this config should be in exporter or prometheus side ?
In the exporter. Place that config in a file next to the exporter and run it with --config.file=<path to the file>
Did you manage to resolve your issues?
Hello,
Not really. I am holiday for the moment. I'll have a look when I come back to work.
Hi,
I am using https module to monitor websites certs.
Some targets are down because the cert is self-signed.
How can I handle this ?
Regards