self signed certificates with https

[gevraud]

Hi,

I am using https module to monitor websites certs.

- job_name: 'ssl-checker'
    metrics_path: /probe
    params:
      module: ["https"]
    static_configs:
      - targets:
          - 'xxx.com:443'
          - 'yyy.com:443'

Some targets are down because the cert is self-signed.

How can I handle this ?

Regards

[ribbybibby]

The exporter needs the CA certificate of the self signed certificates in order to verify them.

You can either install the CA certificate into the system certs where the exporter is running, or you can explicitly point to it in a module in the configuration file:

modules:
  https_self_signed:
    prober: https
    tls_config:
      ca_file: <path to the ca cert>

Another option would be to disable verification altogether:

modules:
  https_insecure:
    prober: https
    tls_config:
      insecure_skip_verify: true

Refer to the example configuration file.

[gevraud]

Hello,

Thx for answer.

In fact, I am monitoring self-signed cert and known CA certs.

So should I do 2 targets in prometheus ? One for self-signed and one for known CA certs ?

Regards

[ribbybibby]

Depends on your approach. If you install your root certificate on the system, then you won't need different targets because the self-signed root will be bundled with all the other roots.

If you're using ca_file to point at the root, then yes, you'd have two modules:

modules:
  https:
    prober: https
  https_self_signed:
    prober: https
    tls_config:
      ca_file: <path to the ca cert>

And then scrape them separately:

- job_name: 'ssl-checker'
    metrics_path: /probe
    params:
      module: ["https"]
    static_configs:
      - targets:
          - 'xxx.com:443'

...
- job_name: 'ssl-checker-self-signed'
    metrics_path: /probe
    params:
      module: ["https_self_signed"]
    static_configs:
      - targets:
          - 'yyy.com:443'

[gevraud]

I'll try this.

Thx for your help

[gevraud]

Hi,

I tried and I got error 400 on all targets.

  - job_name: 'ssl-checker-self-signed'
    scrape_interval: 1h
    metrics_path: /probe
    params:
      module: ["https_self_signed"]
    static_configs:
      - targets:
        - 'xxx.com:443'

any idea ?

Regards

[ribbybibby]

Are you also configuring the required relabel_configs as set out in the README?

[gevraud]

yes

Here is the config :

  - job_name: 'ssl-checker-self-signed'
    scrape_interval: 1h
    metrics_path: /probe
    params:
      module: ["https_self_signed"]
    static_configs:
      - targets:
          - 'aaa.lan:443'
          - 'xxx.com:443'
    relabel_configs:
      - source_labels: [__address__]
        target_label: __param_target
      - source_labels: [__param_target]
        target_label: instance
      - target_label: __address__
        replacement: ssl-check-exporter-service:9219

[ribbybibby]

What does your ssl_exporter config look like? Are you getting any errors in the ssl_exporter logs?

[gevraud]

yes some logs .

x509: certificate signed by unknown authority

As this is self signed, I guess this is ok ?

[ribbybibby]

No, that's not okay. If you've configured your https_self_signed module with a valid CA cert for your self signed certificates (or set insecure_skip_verify: true) then you shouldn't receive that error.

To be honest, this is probably a separate issue to the 400 responses. If you're getting 400 responses from the ssl_exporter then that probably means you're requesting a module that doesn't exist.

What response do you get if you run the following curl?

curl 'ssl-check-exporter-service:9219/probe?target=aaa.lan:443&module=https_self_signed'

What does your ssl_exporter module config look like?

[gevraud]

it seems I get a timeout when trying to curl the service. I'll ask network team.

I didn't create any config for the exporter container itself. I just pulled and run the image

[ribbybibby]

I didn't create any config for the exporter container itself. I just pulled and run the image

You are going to have to configure the exporter for this to work:

1. Deploy the CA cert for your self-signed certs somewhere on the filesystem that the exporter can access
2. Create a config file with the following content:

   modules:
   https:
   prober: https
   https_self_signed:
   prober: https
   tls_config:
     ca_file: <path to the ca cert> # Change this to the path to your CA cert

3. Run the exporter with the flag --config.file=<path to your config file>

[gevraud]

I can't do that as I am monitoring public site certs owned by our clients.

By the way, how many targets can the exporter monitor ? I have 180 targets.

[ribbybibby]

I can't do that as I am monitoring public site certs owned by our clients.

The limitation being that you don't have the CA certificate for their self signed certs? Will they not supply it to you?

Otherwise, you could use this config to ignore the cert failures:

modules:
  https:
    prober: https
  https_self_signed:
    prober: https
    tls_config:
      insecure_skip_verify: true

[gevraud]

this config should be in exporter or prometheus side ?

[ribbybibby]

In the exporter. Place that config in a file next to the exporter and run it with --config.file=<path to the file>

[ribbybibby]

Did you manage to resolve your issues?

[gevraud]

Hello,

Not really. I am holiday for the moment. I'll have a look when I come back to work.