Support specifying root CAs

[Ducatel]

Hi all,

I have a little problem when I try to connect my Prometheus to cAdvisor client secure by SSL + basic auth.

In my Prometheus, I have this error message:

Get https://db1.xxxx.com:5458/metrics: x509: certificate signed by unknown authority

But when I use Firefox or Chrome to connect to https://db1.xxxx.com:5458/metrics, both of them says ok, certificate validate by Gandi

Also when I check my certificate with the gandi CA file, it's ok too

openssl verify -CAfile GandiStandardSSLCA2.pem certificate.crt
certificate.crt: OK

My Prometheus configuration:

global:
    scrape_interval:     5s
    evaluation_interval: 15s

scrape_configs:

  - job_name: prometheus
    scheme: https
    basic_auth:
    username: admin
    password: 1234

    scrape_interval: 5s
    scrape_timeout: 10s

    target_groups:
    - targets: ['db1.xxxx.com:5458']

Also I use docker to mount all of this services. (alos tested with Prometheus version 0.15.0rc3 (branch: master, revision: d437fce))

So do you have any idea about this problem ?
Thank for your help.

[Ducatel]

I found the problem.
Your docker image doesn't contain any CA file. If you add CA file, it's working.

[jimmidyson]

As an extension to this, I've raised #917 being able to support self-signed certs - in this case we could just add the Gandi certificate to config & be loaded b prometheus without having to update the actual docker image. This would provide more generic support for unknown certificates, including self-signed.

[brian-brazil]

This is supported by the CAFile configuration parameter.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.