Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to read password protected key file for client cert authentication to the server. #3678

Closed
iyogi opened this Issue Jan 12, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@iyogi
Copy link

iyogi commented Jan 12, 2018

What did you do?
Scrape metrics from application that is only accessible with client certificates (mutual TLS)
Used following config

tls_config: 
       cert_file: /location/to/client.crt
       key_file: /location/to/client.key

What did you expect to see?
Successful scraping. (may be a solution is the ability to provide pass phrase along with key_file in the tls_config, and reading of this pass phrase by common/config/http_config.go? )

What did you see instead? Under which circumstances?
Error when scraping the metrics due to tls: bad certificate. See error in log below.
Using curl to access same endpoint with the pem file works

curl -k -v -X GET https://localhost:8082/metrics --cert-type PEM --pass X --cert /location/to/client.pem

Environment

  • System information:
Darwin 17.3.0 x86_64
  • Prometheus version:
prometheus, version 2.0.0 (branch: HEAD, revision: 0a74f98628a0463dddc90528220c94de5032d1a0)
  build user:       root@615b82cb36b6
  build date:       20171108-07:15:39
  go version:       go1.9.2
  • Alertmanager version:

NA

  • Prometheus configuration file:
# my global config
global:
  scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
  # scrape_timeout is set to the global default (10s).

# Alertmanager configuration
alerting:
  alertmanagers:
  - static_configs:
    - targets:
      # - alertmanager:9093

# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
rule_files:
  # - "first_rules.yml"
  # - "second_rules.yml"

# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
  - job_name: 'prometheus'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
      - targets: ['localhost:9090']

  - job_name: 'prm_local'

    # metrics_path defaults to '/metrics'
    # scheme defaults to 'http'.

    static_configs:
      - targets: ['localhost:8082']
    scheme: https  
    tls_config:
        cert_file: /location/to/client.crt
        key_file: /location/to/client.key      
  • Alertmanager configuration file:
NA
  • Logs:
level=info ts=2018-01-12T22:05:50.747131Z caller=main.go:394 msg="Loading configuration file" filename=prometheus.yml
level=error ts=2018-01-12T22:03:14.404933Z caller=scrape.go:146 component="target manager" scrape_pool=prm_local msg="Error creating HTTP client" err="unable to use specified client cert (/location/to/client.crt) & key (/location/to/client.key): tls: failed to parse private key"

level=debug ts=2018-01-12T22:06:03.795497Z caller=scrape.go:663 component="target manager" scrape_pool=prm_local target=https://localhost:8082/metrics msg="Scrape failed" err="Get https://localhost:8082/metrics: remote error: tls: bad certificate"

@iyogi

This comment has been minimized.

Copy link
Author

iyogi commented Jan 31, 2018

Any prospect of someone addressing the issue? Possible categories where this issue may fall under:

  • May be this is not an issue at all OR
  • may be this issue will not be resolved OR
  • will be resolved in an upcoming release?

Would like to know what the contributors think.
Thanks!

@brian-brazil

This comment has been minimized.

Copy link
Member

brian-brazil commented Feb 2, 2018

It looks like your file is in the wrong format.

@lock

This comment has been minimized.

Copy link

lock bot commented Mar 22, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@lock lock bot locked and limited conversation to collaborators Mar 22, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.