-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cert vs wildcard #81
Comments
Are you sure that's a valid wildcard cert? |
It's a valid geotrust certificate. However it might just be a matter of missing CA on the server itself. This is perhaps by design (blackbox fails when CA is missing on server)? |
I'd expect a different error in that case. |
I'm also getting "certificate signed by unknown authority", even-though the CA is updated and I can successfully curl the site without the --insecure flag. How does the validation work? |
It's Go's standard validation. |
I suspect something is missing here. We have to be able to orchestrate which certificates we trust and vice versa. For example, the exporter needs to pick-up the ca-certs bundle on the server it's running on for starts. Either automatically or through some sort of --include-ca-folder parameter. My checks are failing miserably at the moment, and I am at a loss on how I can "help" go trust well known certificates that the server and any modern browser trusts. |
I'd suggest writing a trivial Go program to do a HTTP Get from the site. If that fails, then you can debug from there. |
Thanks. I'll see what I can manage on my own. I'm fairly new to Go. |
This can be achieved using the standard tls_config options supported in prometheus common code:
and you can have a different module for each ca_file you wish to support and if you want to support a standard ssl website using the public root certificates than use a module that doesn't specify a ca_file. |
I'm getting errors in log;
certificate is valid for *.foo.com, foo.com, not abc.foo.com
Shouldn't blackbox accept a wildcard cert without the extra noise?
The text was updated successfully, but these errors were encountered: