Skip to content

/prometheus

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x509: cannot validate certificate for <ipaddress> because it doesn't contain any IP SANs #1654

Closed
gregorygtseng opened this Issue May 24, 2016 · 6 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@gregorygtseng @pdbogen @vhosakot
@gregorygtseng
Copy link
Contributor

gregorygtseng commented May 24, 2016

I have a use case where I am scraping hosts via IP, but they serve a valid SSL cert. I don't want to use the insecure_skip_verify option in <tls_config>. What options do I have?
@pdbogen

This comment has been minimized.

Sign in to view
Copy link
Contributor

pdbogen commented May 24, 2016

Technically, this is not a valid SSL cert, because it doesn't match the name (in this case, IP) being used to connect.

You have three options:

  • Connect by name (either implement DNS, or if your environment is very static, add the hostnames to /etc/hosts on the prometheus server)
  • Set insecure_skip_verify
  • Reissue the certs to include an IP SAN for the host's IP
@gregorygtseng

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

gregorygtseng commented May 24, 2016

So 'valid SSL cert' means it has a complete chain of trust to a root CA. IF there was a proper DNS entry, this would be a non-issue. However these are dynamic environments ( autoscaling / spot instances ), so I do not want to manage an ever changing list of DNS entries or host entries.

I already specified that I don't want to disable verification completely.
Since the host IPs will change, I don't think the IP SAN is a valid option.

There is another option: specify ServerName in prometheus scraper client to match the certificate provided by these hosts.
@pdbogen

This comment has been minimized.

Sign in to view
Copy link
Contributor

pdbogen commented May 24, 2016

The chain of trust is only one aspect of the validity of a certificate. What you're running into- effectively a name mismatch (you call it 1.2.3.4, the cert says it's valid for some.host.example.com)- is another very important validity check.

You're right that providing an alternative expected hostname to the SSL verification routine would fix this issue. Hopefully the devs will implement this for you.
@gregorygtseng

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

gregorygtseng commented May 24, 2016

@pdbogen Thanks for your comments and discussion. I went ahead and created #1658
@gregorygtseng

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

gregorygtseng commented May 26, 2016

Implemented in #1658

@gregorygtseng gregorygtseng closed this May 26, 2016

@atombender atombender referenced this issue Jul 19, 2016

Closed

Kubernetes SD fails with x509 name mismatch #1822

@luckypoem luckypoem referenced this issue Mar 28, 2018

Closed

运行了“./local -raddr http://example.com:8080 -secret <password> -logtostderr”之后 #17

@vhosakot

This comment has been minimized.

Sign in to view
Copy link

vhosakot commented Feb 11, 2019

I saw the same error when using mysql client in golang:

Failed to connect to database:  x509: cannot validate certificate for 10.111.202.229 because it doesn't contain any IP SANs

and setting InsecureSkipVerify to true (to skip verification of certificate) resolved it for me:

https://godoc.org/crypto/tls#Config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.