Please don't paste graphical screenshots: they are hard to read, and it's impossible to copy-paste them to make corrections.
First thing is, you're scraping port 9090 but you haven't told it to use HTTPS. You need setting "scheme: https <https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config>" in the scrape job. Secondly, you've set up TLS wrongly, although it may work given that you have "insecure_skip_verify: true". - At the *server* side you need tls_server_config with cert_file and key_file, which is as you have it. - At the *client* side (which in this case is prometheus making an outbound scrape connection to itself), you don't want cert_file or key_file; you need ca_file. This points to the certificate file of the certificate authority which signed the example.com.crt certificate. If this is a self-signed certificate, then this is the same certificate, i.e. "ca_file: example.com.crt" Thirdly, you're connecting to the host using name "localhost", but this will only verify successfully if the certificate contains "localhost" as one of its SubjectAltNames. You should connect using whatever name you signed for the certificate. Or, you can use the "server_name: ..." setting in tls_config to say what name to expect in the certificate presented by the server. Again, "insecure_skip_verify" will probably skip this check. (But of course, really you don't want to use "insecure_skip_verify". Why are you deploying TLS at all, if you're doing it in an insecure way?) Fourthly, you didn't show how you generated the certificates. With modern versions of Go (and hence recent versions of Prometheus), the certificate CommonName is ignored. The server *must* have a certificate with at least one SubjectAltName. So if you followed an out-of-date how-to for signing certificates, you probably made a bad certificate. This is what I use: mkdir /etc/prometheus/ssl cd /etc/prometheus/ssl openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out p-256.param openssl req -x509 -newkey ec:p-256.param -keyout prometheus_key.pem -out prometheus_cert.pem -days 29220 -nodes -subj /commonName=*prometheus*/ -addext "subjectAltName=DNS:*prometheus*" In "/commonName=*prometheus*/" and "DNS:*prometheus*", replace "prometheus" with the hostname you want in the certificate. "localhost" would work, but apart from self-scraping, normally your clients are connecting to the prometheus server using some real fully-qualified domain name not "localhost", so you should use that FQDN. On Tuesday, 24 May 2022 at 11:33:43 UTC+1 [email protected] wrote: > Hi, > > I don't know how TLS certs work on Windows, but you should at least be > able to see the exact scrape error on the /targets page of your Prometheus > server - what does it say? > > Cheers, > Julius > > On Tue, May 24, 2022 at 11:57 AM Hank Huang <[email protected]> wrote: > >> Hi all! >> >> So I setup Prometheus to monitor itself. >> Now I want to test with https, so I followed the doc and generated >> example.com.crt and example.com.key, and referenced them in the config file >> and web config file. >> I also double clicked on the example.com.crt to install the cert onto my >> machine. >> Then I launch the Prometheus with the two config files: >> .\prometheus.exe --config.file=prometheus.yml --web.config.file=web.yml >> >> When I query "up" from Prometheus, it's always 0, the response status is >> 200 though. Also there's a "TLS handshake error" in the console. >> I think maybe it's because I didn't install the cert correctly. Any >> insight is appreciated. >> >> [image: Screenshot 2022-05-24 173210.png] >> >> [image: Screenshot 2022-05-24 173734.png] >> >> >> config file (prometheus.yml): >> [image: Screenshot 2022-05-24 161738.png] >> >> web config file (web.yml): >> [image: Screenshot 2022-05-24 161825.png] >> >> >> syntax wise looks fine: >> [image: Screenshot 2022-05-24 162119.png] >> [image: Screenshot 2022-05-24 162158.png] >> >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-users/51ceb9ba-58e0-4149-b199-e49f21661b1cn%40googlegroups.com >> >> <https://groups.google.com/d/msgid/prometheus-users/51ceb9ba-58e0-4149-b199-e49f21661b1cn%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Julius Volz > PromLabs - promlabs.com > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/6fdf5c03-fcbb-4e1c-8250-21e682df9886n%40googlegroups.com.
