Why does not work `With CA Cert `

urbainleverrier · February 4, 2020, 6:50am

I configured Prometheus Datasource behind of self-signed tls Nginx proxy.
I got the following error.

But it works if …

checked Skip TLS Verify
curl --cacert /root/ca.crt https://localhost - https://localhost is nginx endpoint.

My Configuration

nginx.conf

$ cat /etc/Nginx/Nginx.conf
http {
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" "$request_body"';
  server {
    listen                 443 ssl;
    server_name            localhost;
    ssl_certificate        /root/server.crt;
    ssl_certificate_key    /root/server.key;

    location / {
      proxy_pass http://localhost:9090/;
    }
  }
}

events {}

certifications

$ ln -s /root/ca.crt /root/"$(openssl x509 -hash -noout -in /root/ca.crt).0"
$ openssl verify -CApath /root /root/server.crt
/root/server.crt: OK
$ cat /root/ca.crt
-----BEGIN CERTIFICATE-----
MIIFAzCCAuugAwIBAgIUb/w9rveUgWxxJaQgB9F7tuOmNpEwDQYJKoZIhvcNAQEL
BQAwETEPMA0GA1UEAwwGcm9vdGNhMB4XDTIwMDIwMjE2MDI1N1oXDTIxMDIwMTE2
MDI1N1owETEPMA0GA1UEAwwGcm9vdGNhMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAuG5QOO4LmAOkgj1Y9o4Dfy0yYnO4MrPrWayP96huHLBqpz19YviQ
cr9YYrU5dydFS71StWuQObagzbFzV8ffZ9WngbuYtoKVLAcDBSYWYeNbVY2CaP6L
mytL1ftAi5weL1G3MbPCgLDdHkUhuXSKw+W35PqwnuuI3dCSzz8D/2LZ2XQS0EVW
q5URxhevfYA6UTvq/CqCma16JVk4fGBS1nLBtHz0WAIdwx6PcxAHtSNHDG74BLBP
vZPAZTXTHPEEpdat/6FMiexfLPN7svkPkriiJlR6ZDVo6xoPuFMrC5E9RtHEJS9z
mljnaO7GBKoVVOlvVWNo/4ny6+Ajkk612P9Kr38CIFnz5PcbHBu3d9IXHGG0E1h1
WXS0ENkFznPfpNtS76723jPOpE1FieYSBsm9NBH63K4gkEUCTXqppN2Zo2fRWylv
918c8oxELbYc75Ip0KJLk5kVc3clPCXZLu8KKiKL4eEHt3s2iyS7kI09J+474gp5
75Y9ipR3f8htyp2B0grE3PIyva+oK4g8Cy0dOr3sguYQMOBM+rDM8QeoVPIaZ7bC
P5U7tFk5ylv3PhafjE0DTDi5hOkFvieOrtlXFQwlnKe3P+OsrYs0SfJx+fflbZ29
9iYzRzAOVyIyrTiXzg6SCKcQPgeQPu+TdC9cxlGdRMBEEjeRdN+K0QUCAwEAAaNT
MFEwHQYDVR0OBBYEFLXdWv7gLvsamnq9mUATdzmQAtWEMB8GA1UdIwQYMBaAFLXd
Wv7gLvsamnq9mUATdzmQAtWEMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggIBAIqlo+VW9eEzLn5A6aDEklN7bQrDDbL2ijmZ4XWIpz0JSvbNlXXmSAir
xEhjE4buK3y0fQ/dwoFvqB4dYL61mXWuJPnVCffc47eEXNwJ/HmgeQY5lv0DlQlC
/93S1scP8cEeIghVkbMRqFpQKPrte5jP0V6lA0O+DGc7rzB4aJu0jXYpIu7K0Cl0
N2pBCA8Wkjt6z6UyZanZwrtMpLrq34n/wqSktgaR2UmHSiuNzaFaS6fIGUdDZ/rs
n3GkhMHXiB0K0VhtuQ7stVimB2wSbfEU5KLX34nnrM3KDQOxU59L5Khlg6kKjg9I
r6A720IIFMeLxzh+gIBnMfX3qz9or3440xSL3nd6TTFb98+gt57Ebi2JwFYBmMj8
exPkRRaYezpBDLFWpkYI6lzieDFQZzxxwZY2CZa/vOerAcMLoBME2AwDy+DwMb1W
rIrKSPajq4VZG0bpvvkhuzg9Ux6Yyt8jfYQpRovOYO/fUFt8CM5xT9DQ6iHy+sg/
+Dqp0WerF01Uar6Sc0P1W9xgloOs45TjEBN1xsNsCwB76oOxb/BMUEHswMAbEbxv
ZJ6dWleBA4j2XK0EbQF/6kpqcZLtmEF3Eh9MiTwVf4HNQHXsouzKraMgpwb63yeF
mnIVGilA3n/fBw7/ErH2mTR4m0/YuPi10/HWyJQZN9C7XFWv5Ymo
-----END CERTIFICATE-----

urbainleverrier · February 4, 2020, 8:45am

I solved.
It was caused by my code.
I created Prometheus datasource via Grafana API, but I sent the dashboard JSON data as a string value instead of a bool value. Such as

// wrong
"jsonData":{"httpMethod":"GET","tlsAuth":"true","tlsAuthWithCACert":"true"}
// correct
"jsonData":{"httpMethod":"GET","tlsAuth":true,"tlsAuthWithCACert":true}

Topic		Replies	Views
Configure Prometheus Datasource with SSL Configuration	1	4508	February 19, 2019
Error in creating Prometheus datasource Configuration	1	381	October 3, 2022
Promethues https Prometheus	4	1512	August 31, 2021
Datasource TLS verification in v.4.6.2 (bug?) + datasource API setup (question) Grafana	4	3912	March 14, 2019
How to set up data source with https to prometheus Configuration	1	674	January 2, 2020

Why does not work `With CA Cert `

Related topics