TLS CONFIGURATION
178 views
Skip to first unread message
Chinelo Ufondu
Sep 15, 2024, 11:48:16 AM9/15/24
to Prometheus Users
Hello all!!
I am currently trying to configure TLS in my alert manager configuration file to enable it authenticate to my smtp host, I have tried various options from the documentation and forums , but all to no avail. I would appreciate if I am being assisted with this blocker.
Brian Candler
Sep 15, 2024, 1:46:48 PM9/15/24
to Prometheus Users
Show what you did, and what the error was, and then maybe we can help you.
There are some global settings that cover common use cases:
However, if you need more control (e.g. for client certificate auth or accepting self-signed certificates from the E-mail server) you'll need to use tls_config under the email receiver definition:
Chinelo Ufondu
Sep 15, 2024, 2:01:36 PM9/15/24
to Brian Candler, Prometheus Users
This is what i did
global:
smtp_smarthost: smtp.zoho.com:587
smtp_from: chi...@valucid.com
smtp_auth_username: 'chi...@valucid.com'
smtp_auth_password: 'command60'
smtp_require_tls: true
tls_config:
cert_file: /home/chinelo/alertmanager.crt
key_file: /home/chinelo/alertmanager.key
receivers:
- name: send_email
email_configs:
- to: chi...@valucid.com
from: chi...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: chi...@valucid.com
auth_password: password
require_tls: true
- name: send_email2
email_configs:
- to: la...@valucid.com
from: la...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: la...@valucid.com
auth_password: password
require_tls: true
route:
receiver: send_email
routes:
- receiver: send_email2
inhibit_rules:
- source_match:
severity: critical
target_match:
severity: warning
equal:
- alertname
- dev
- instance
global:
smtp_smarthost: smtp.zoho.com:587
smtp_from: chi...@valucid.com
smtp_auth_username: 'chi...@valucid.com'
smtp_auth_password: 'command60'
smtp_require_tls: true
tls_config:
cert_file: /home/chinelo/alertmanager.crt
key_file: /home/chinelo/alertmanager.key
receivers:
- name: send_email
email_configs:
- to: chi...@valucid.com
from: chi...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: chi...@valucid.com
auth_password: password
require_tls: true
- name: send_email2
email_configs:
- to: la...@valucid.com
from: la...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: la...@valucid.com
auth_password: password
require_tls: true
route:
receiver: send_email
routes:
- receiver: send_email2
inhibit_rules:
- source_match:
severity: critical
target_match:
severity: warning
equal:
- alertname
- dev
- instance
The error
:58:49.480Z caller=coordinator.go:118 level=error component=configuration msg="Loading configuration file failed" file=/etc/alertmanager/alertmanager.yml err="yaml: unmarshal errors:\n line 7: field tls_config not found in type config.plain"
Sep 15 17:58:49 localhost alertmanager[2767706]: ts=2024-09-15T17:58:49.480Z caller=cluster.go:692 level=info component=cluster msg="gossip not settled but continuing anyway" polls=0 elapsed=34.861156ms
Sep 15 17:58:49 localhost systemd[1]: alertmanager.service: Main process exited, code=
Sep 15 17:58:49 localhost alertmanager[2767706]: ts=2024-09-15T17:58:49.480Z caller=cluster.go:692 level=info component=cluster msg="gossip not settled but continuing anyway" polls=0 elapsed=34.861156ms
Sep 15 17:58:49 localhost systemd[1]: alertmanager.service: Main process exited, code=
--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/a1d49d1e-7761-4897-9c43-72d54ce3278fn%40googlegroups.com.
Chinelo Ufondu
Sep 15, 2024, 2:08:28 PM9/15/24
to Brian Candler, Prometheus Users
This is what i did
global:
smtp_smarthost: smtp.zoho.com:587
smtp_from: chi...@valucid.com
smtp_auth_username: 'chi...@valucid.com'
global:
smtp_smarthost: smtp.zoho.com:587
smtp_from: chi...@valucid.com
smtp_auth_username: 'chi...@valucid.com'
smtp_auth_password: passs
smtp_require_tls: true
tls_config:
cert_file: /home/chinelo/alertmanager.crt
key_file: /home/chinelo/alertmanager.key
receivers:
- name: send_email
email_configs:
- to: chi...@valucid.com
from: chi...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: chi...@valucid.com
auth_password: passss
require_tls: true
- name: send_email2
email_configs:
- to: la...@valucid.com
from: la...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: la...@valucid.com
auth_password: passss
require_tls: true
route:
receiver: send_email
routes:
- receiver: send_email2
inhibit_rules:
- source_match:
severity: critical
target_match:
severity: warning
equal:
- alertname
- dev
- instance
The error
ts=2024-09-15T17:58:49.480Z caller=coordinator.go:118 level=error component=configuration msg="Loadion file failed" file=/etc/alertmanager/alertmanager.yml err="yaml: unmarshal errors:\n line 7: field tls_config not found in type config.plain"
Sep 15 17:58:49 localhost alertmanager[2767706]: ts=2024-09-15T17:58:49.480Z
On Sun, 15 Sept 2024 at 18:46, 'Brian Candler' via Prometheus Users <promethe...@googlegroups.com> wrote:
--
Brian Candler
Sep 15, 2024, 4:06:03 PM9/15/24
to Prometheus Users
> The error
> ts=2024-09-15T17:58:49.480Z caller=coordinator.go:118 level=error component=configuration msg="Loadion file failed" file=/etc/alertmanager/alertmanager.yml err="yaml: unmarshal errors:\n line 7: field tls_config not found in type config.plain"
It's saying that you cannot put "tls_config" as a top-level key in Prometheus config. Since the config file is invalid, it cannot run.
As I said before, if you need to use tls_config then it has to be under the E-mail receiver.
receivers:
- name: send_email
email_configs:
- to: chi...@valucid.com
from: chi...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: chi...@valucid.com
- name: send_email
email_configs:
- to: chi...@valucid.com
from: chi...@valucid.com
smarthost: smtp.zoho.com:587
auth_username: chi...@valucid.com
auth_password: passss
require_tls: true
tls_config:
... blah
You don't need to repeat the smarthost / auth_username / auth_password / require_tls if you've set them globally.
But unfortunately you *do* need to put a separate "tls_config" section under every email receiver.
> tls_config:
> cert_file: /home/chinelo/alertmanager.crt
> key_file: /home/chinelo/alertmanager.key
> cert_file: /home/chinelo/alertmanager.crt
> key_file: /home/chinelo/alertmanager.key
That means you want to authenticate to your SMTP server using a TLS client certificate. I note that if I connect to it, it says it only supports password authentication (LOGIN and PLAIN):
% openssl s_client -connect smtp.zoho.com:587 -starttls smtp
...
ehlo wombat
250-mx.zohomail.com Hello wombat (x.x.x.x (x.x.x.x))
250-AUTH LOGIN PLAIN
250 SIZE 32505856
250-mx.zohomail.com Hello wombat (x.x.x.x (x.x.x.x))
250-AUTH LOGIN PLAIN
250 SIZE 32505856
I believe the normal way to do TLS client authentication would be with the SASL "EXTERNAL" mechanism. But since you are already providing an auth_username and auth_password, I don't think you'll need to provide a TLS certificate as well. (In which case, maybe you don't need a tls_config section at all).
However, that's all detail around your particular SMTP server, and maybe it works in a weird way.
Chinelo Ufondu
Sep 17, 2024, 5:35:35 AM9/17/24
to Brian Candler, Prometheus Users
Thanks for the clarifications, will do the needful
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/36e0a5de-4851-4048-9d65-17bb4ae7c2d0n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages