Can I disable SSL validation for prometheus-nats-exporter

[Mark Leone]

I'm running the nats exporter on a private network, and the nats server's cert is signed by our own CA, not any standard one. So I'd like to disable SSL validation. I don't see an option for that but I thought I'd ask. I could add a docker layer and insert my own ca cert file in /etc/pki.tls/cert. Does anyone know if they use the system store or perhaps have some other CA store that they use?

-Mark Leone

[Mark Leone]

Well, looking at the docker build, there is only a single executable in the image, so the CAs are apparently baked in. I tried, just in case, using the arg -tlscacert to point to my ca file, but that's advertised as being for client connections, and in fact it didn't make any difference. It seems this Exporter doesn't support disabling SSL verification or specifying a custom CA for connecting to a NATS server. Unfortunately, I can't use it in that case. If anyone knows a way around this, or a different nats exporter that doesn't have this limitation, please let me know.

[Harald Koch]

On Wed, Jun 10, 2020, at 15:29, Mark Leone wrote:

Well, looking at the docker build, there is only a single executable in the image, so the CAs are apparently baked in. I tried, just in case, using the arg -tlscacert to point to my ca file, but that's advertised as being for client connections, and in fact it didn't make any difference. It seems this Exporter doesn't support disabling SSL verification or specifying a custom CA for connecting to a NATS server. Unfortunately, I can't use it in that case. If anyone knows a way around this, or a different nats exporter that doesn't have this limitation, please let me know.

1) The exporter source is on github. https://github.com/nats-io/prometheus-nats-exporter

2) The documentation there says it can talk to a NATS server over HTTP - which is effectively the same as using HTTPS but disabling certificate validation.

--

Harald

[Mark Leone]

Thanks, Harald. My deployment environment is fairly restricted. I have no access to a go build environment, and my nats server is reachable through a reverse proxy which only accepts https requests. I can access the nats http endpoint that is behind the proxy, but its URL changes when the nomad job is re-started, so the proxy is the fixed URL that I need to point to. So I was hoping to have a way to point the server to an https endpoint while disabling cert validation, as many servers do, but it seems that capability was not provided.

-Mark

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/ea36b168-846b-4388-b9dd-5b581a1ff251%40www.fastmail.com.

[Mark Leone]

For any who may be looking for a solution to this, I found a workaround for using a private CA and simple fix to skip cert validation. The workaround is to volume-map the directory /etc/pki to the docker container running prometheus-nats-exporter. The fix is a one-line change to collector.go. See this issue for details: https://github.com/nats-io/prometheus-nats-exporter/issues/117