Re: [prometheus-users] Get https://ip/metrics: x509: cannot validate certificate for ip because it doesn't contain any IP SANs

[Jakub Jakubik]

do you have the target configured with the ip address or the domain? is the domain in the cert? with curl do you use the ip or hostname?

On Wed, Mar 18, 2020 at 12:35 PM Jack Chew <jack...@gmail.com> wrote:

Hi team,

I config prometheus configere file TLS path will arise  Get https://ip:9100/metrics: x509: cannot validate certificate for ip because it doesn't contain any IP SANs, But i try use curl is work. 

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com.

--

Kuba Jakubik SRE Tech Lead Netguru - Building software for world changers

jakub....@netguru.com netguru.com

[Jack Chew]

 HI Jakubik,

I target configured is IP address, and then cert is self sign from openssl. When i curl the link is IP address.

在 2020年3月18日星期三 UTC+8下午10:45:41，Jakub Jakubik写道：

do you have the target configured with the ip address or the domain? is the domain in the cert? with curl do you use the ip or hostname?

On Wed, Mar 18, 2020 at 12:35 PM Jack Chew <jack...@gmail.com> wrote:

Hi team,

I config prometheus configere file TLS path will arise  Get https://ip:9100/metrics: x509: cannot validate certificate for ip because it doesn't contain any IP SANs, But i try use curl is work. 

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to promethe...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com.

[Brian Candler]

Then you must be using curl -k to ignore the certificate entirely, or you must be passing the cert itself to curl.

Both options are possible from prometheus too - check out the options under tls_config.

[Cameron Kerr]

From the error message, it would appear that you are communicating via the IP and not the DNS name. You should communicate using the DNS name. If you really want to communicate by IP (why? if DNS stability is a concern, use /etc/hosts or similar), then you would need to have an IP type of entry in the name (probably in addition to the DNS name).

Having IPs in the certificate is not recommended (even deprecated, I think) in CA certificates, and I wouldn't trust browsers to honour them. Cf: https://www.geocerts.com/support/ip-address-in-ssl-certificate, which discusses some of the pitfalls, although you may well decide that is not valid for your deployment.

This is like creating a self-signed certificate with a Subject Alternate Name (aka, a SAN cert). This will allow you to put other names / aliases into the certificate.

However, the best thing would be to communicate using the hostname; or turn of validation if you are comfortable with that, and can be bothered supporting that (in case other things want to communicate with Prometheus, such as Grafana or any ad-hoc reporting)

When creating a self-signed certificate, you can include a Subject-Alternate-Name (SAN). It appears to be more of requirement these days according to the CA Browser forum, or so I'm led to believe by the people who provide us with certificates.

Here's some bash commands you can use (from my own notes)

Tested for RHEL5, RHEL6, and RHEL7 (creating a self-signed certificate with a SAN)

First copy and edit the BASE, CN and SANs, and paste those into a terminal, then paste the command.

BASE=test
CN="/CN=test.example.com"
SANs="DNS:test.example.com,IP:192.168.12.23"

openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 \
  -keyout /etc/pki/tls/private/$BASE-selfsigned.key \
  -out    /etc/pki/tls/certs/$BASE-selfsigned.cert \
  -reqexts SAN -extensions SAN \
  -subj "$CN" \
  -config <(
    cat /etc/pki/tls/openssl.cnf
    printf "[SAN]\nsubjectAltName=$SANs"

I hope you find that useful.

Cheers,

Cameron

On Thursday, 19 March 2020 03:45:41 UTC+13, Jakub Jakubik wrote:

do you have the target configured with the ip address or the domain? is the domain in the cert? with curl do you use the ip or hostname?

On Wed, Mar 18, 2020 at 12:35 PM Jack Chew <jack...@gmail.com> wrote:

Hi team,

I config prometheus configere file TLS path will arise  Get https://ip:9100/metrics: x509: cannot validate certificate for ip because it doesn't contain any IP SANs, But i try use curl is work. 

--
You received this message because you are subscribed to the Google Groups "Prometheus Users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to promethe...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com.

[Jack Chew]

Thank Cameron Kerr，

I follow https://groups.google.com/d/msg/prometheus-users/7SzbGIWpiD4/kwVEG8blBAAJ have been solve the issue.

在 2020年3月25日星期三 UTC+8上午9:42:06，Cameron Kerr写道：

[Nirpat Choudhary]

Could you please clarify whether the target is configured with the IP address or domain? Additionally, I am curious to know if the domain is present in the certificate. When you use curl, do you prefer using the IP or hostname? Thank you.