Re: [prometheus-users] [ALERTMANAGER][ERROR] err="Post : x509: certificate signed by unknown authority"

[Brian Candler]

On Monday, 9 March 2020 11:06:59 UTC, BDT wrote:
>
> To check if the certificate is ok, just cancel the http auth and click on 
> the padlock of the adress bar and check the tls certificate
> I am behind the firewall of ovh but didn't config it to perfom mitm 
> decryption
>
>
The problem *appears* to be that alertmanager is saying the certificate of "
hooks.slack.com 
<https://www.google.com/url?q=https%3A%2F%2Fhooks.slack.com%2Fservices%2F****&sa=D&sntz=1&usg=AFQjCNHfDaYHJ1eynFZRyvlAgg4du8hRug>"
 
is wrong.  The certificate looks OK to me, although it's a wildcard:

    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
        Validity
            Not Before: Feb  8 00:00:00 2018 GMT
            Not After : Feb 12 12:00:00 2021 GMT
        Subject: C=US, ST=CA, L=San Francisco, O=Slack Technologies, Inc., 
CN=slack.com
...
            X509v3 Subject Alternative Name:
                DNS:slack.com, *DNS:*.slack.com*

So as was already suggested: first check that certificate validation 
*inside your alertmanager docker container* is working.  e.g.

docker exec -it <containername> bash
curl https://hooks.slack.com/...etc

Maybe you are missing ca-certificates inside the container?

If not, then I don't know.  Presumably lots of other people are sending to 
hooks.slack.com successfully, which means that the wildcard cert validation 
is working.

Note: slack is fronted by cloudfront, and I don't get the certificate 
unless I include servername (SNI) extension:

$ openssl s_client -connect hooks.slack.com:443 -servername hooks.slack.com

I'm *fairly* sure golang/prometheus will do this by default, but there's a 
way to override it if necessary:

http_config:
  tls_config:
    server_name: hooks.slack.com

The other thing you could try temporarily, just while you debug the 
problem, is:

http_config:
  tls_config:
    insecure_skip_verify: true

If that makes the problem go away, you know for sure it's something to do 
with alertmanager incorrectly validating the certificate from slack.  if it 
doesn't, then you at least don't need to keep barking up the wrong tree.

-- 
You received this message because you are subscribed to the Google Groups 
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prometheus-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/prometheus-users/c63b1f04-64b5-4f63-9387-6270bae96e22%40googlegroups.com.