cert vs wildcard

[raypettersen]

I'm getting errors in log;
certificate is valid for *.foo.com, foo.com, not abc.foo.com

Shouldn't blackbox accept a wildcard cert without the extra noise?

[brian-brazil]

Are you sure that's a valid wildcard cert?

[raypettersen]

It's a valid geotrust certificate. However it might just be a matter of missing CA on the server itself. This is perhaps by design (blackbox fails when CA is missing on server)?

[brian-brazil]

I'd expect a different error in that case.

[raypettersen]

I'm also getting "certificate signed by unknown authority", even-though the CA is updated and I can successfully curl the site without the --insecure flag. How does the validation work?

[brian-brazil]

It's Go's standard validation.

[raypettersen]

I suspect something is missing here. We have to be able to orchestrate which certificates we trust and vice versa. For example, the exporter needs to pick-up the ca-certs bundle on the server it's running on for starts. Either automatically or through some sort of --include-ca-folder parameter.

My checks are failing miserably at the moment, and I am at a loss on how I can "help" go trust well known certificates that the server and any modern browser trusts.

[brian-brazil]

I'd suggest writing a trivial Go program to do a HTTP Get from the site. If that fails, then you can debug from there.

[raypettersen]

Thanks. I'll see what I can manage on my own. I'm fairly new to Go.

[pj42]

This can be achieved using the standard tls_config options supported in prometheus common code:

http:
  tls_config:
    ca_file: "custom_root_ca.pem"

and you can have a different module for each ca_file you wish to support and if you want to support a standard ssl website using the public root certificates than use a module that doesn't specify a ca_file.