Unable to read password protected key file for client cert authentication to the server.

[iyogi]

What did you do?
Scrape metrics from application that is only accessible with client certificates (mutual TLS)
Used following config

tls_config: 
       cert_file: /location/to/client.crt
       key_file: /location/to/client.key

What did you expect to see?
Successful scraping. (may be a solution is the ability to provide pass phrase along with key_file in the tls_config, and reading of this pass phrase by common/config/http_config.go? )

What did you see instead? Under which circumstances?
Error when scraping the metrics due to tls: bad certificate. See error in log below.
Using curl to access same endpoint with the pem file works

curl -k -v -X GET https://localhost:8082/metrics --cert-type PEM --pass X --cert /location/to/client.pem

Environment

• System information:

Darwin 17.3.0 x86_64

• Prometheus version:

prometheus, version 2.0.0 (branch: HEAD, revision: 0a74f98628a0463dddc90528220c94de5032d1a0)
  build user:       root@615b82cb36b6
  build date:       20171108-07:15:39
  go version:       go1.9.2

• Alertmanager version:

NA

• Prometheus configuration file:

# my global config
global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
      - targets: ['localhost:9090']

  - job_name: 'prm_local'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
      - targets: ['localhost:8082']
    scheme: https  
    tls_config:
        cert_file: /location/to/client.crt
        key_file: /location/to/client.key      

• Alertmanager configuration file:

NA

• Logs:

level=info ts=2018-01-12T22:05:50.747131Z caller=main.go:394 msg="Loading configuration file" filename=prometheus.yml
level=error ts=2018-01-12T22:03:14.404933Z caller=scrape.go:146 component="target manager" scrape_pool=prm_local msg="Error creating HTTP client" err="unable to use specified client cert (/location/to/client.crt) & key (/location/to/client.key): tls: failed to parse private key"

level=debug ts=2018-01-12T22:06:03.795497Z caller=scrape.go:663 component="target manager" scrape_pool=prm_local target=https://localhost:8082/metrics msg="Scrape failed" err="Get https://localhost:8082/metrics: remote error: tls: bad certificate"

[iyogi]

Any prospect of someone addressing the issue? Possible categories where this issue may fall under:

• May be this is not an issue at all OR
• may be this issue will not be resolved OR
• will be resolved in an upcoming release?

Would like to know what the contributors think.
Thanks!

[brian-brazil]

It looks like your file is in the wrong format.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.