Ok I would try to add
http_config:
tls_config:
insecure_skip_verify: true
The doc of alertmanager:
# Configures the TLS settings.
tls_config:
[ <tls_config>
<https://prometheus.io/docs/alerting/configuration/#tls_config> ]
# Optional proxy URL.
[ proxy_url: <string>
<https://prometheus.io/docs/alerting/configuration/#string> ]
# CA certificate to validate the server certificate with.
[ ca_file: <filepath>
<https://prometheus.io/docs/alerting/configuration/#filepath> ]
# Certificate and key files for client cert authentication to the server.
[ cert_file: <filepath>
<https://prometheus.io/docs/alerting/configuration/#filepath> ]
[ key_file: <filepath>
<https://prometheus.io/docs/alerting/configuration/#filepath> ]
# ServerName extension to indicate the name of the server.
# http://tools.ietf.org/html/rfc4366#section-3.1
[ server_name: <string>
<https://prometheus.io/docs/alerting/configuration/#string> ]
# Disable validation of the server certificate.
[ insecure_skip_verify: <boolean>
<https://prometheus.io/docs/alerting/configuration/#boolean> | default = false]
So I try this:
tls_config:
# CA certificate to validate the server certificate with.
ca_file: /etc/ssl/DigiCert_Global_Root_CA.pem
# ServerName extension to indicate the name of the server.
# http://tools.ietf.org/html/rfc4366#section-3.1
server_name: hooks.slack.com
# Disable validation of the server certificate.
insecure_skip_verify: false
Get an error in the config. Sure I have missed something ^^
Le lundi 9 mars 2020 14:59:17 UTC+1, Brian Candler a écrit :
>
> On Monday, 9 March 2020 11:06:59 UTC, BDT wrote:
>>
>> To check if the certificate is ok, just cancel the http auth and click on
>> the padlock of the adress bar and check the tls certificate
>> I am behind the firewall of ovh but didn't config it to perfom mitm
>> decryption
>>
>>
> The problem *appears* to be that alertmanager is saying the certificate of
> "hooks.slack.com
> <https://www.google.com/url?q=https%3A%2F%2Fhooks.slack.com%2Fservices%2F****&sa=D&sntz=1&usg=AFQjCNHfDaYHJ1eynFZRyvlAgg4du8hRug>"
>
> is wrong. The certificate looks OK to me, although it's a wildcard:
>
> Signature Algorithm: sha256WithRSAEncryption
> Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
> Validity
> Not Before: Feb 8 00:00:00 2018 GMT
> Not After : Feb 12 12:00:00 2021 GMT
> Subject: C=US, ST=CA, L=San Francisco, O=Slack Technologies, Inc.,
> CN=slack.com
> ...
> X509v3 Subject Alternative Name:
> DNS:slack.com, *DNS:*.slack.com <http://slack.com>*
>
> So as was already suggested: first check that certificate validation
> *inside your alertmanager docker container* is working. e.g.
>
> docker exec -it <containername> bash
> curl https://hooks.slack.com/...etc
>
> Maybe you are missing ca-certificates inside the container?
>
> If not, then I don't know. Presumably lots of other people are sending to
> hooks.slack.com successfully, which means that the wildcard cert
> validation is working.
>
> Note: slack is fronted by cloudfront, and I don't get the certificate
> unless I include servername (SNI) extension:
>
> $ openssl s_client -connect hooks.slack.com:443 -servername
> hooks.slack.com
>
> I'm *fairly* sure golang/prometheus will do this by default, but there's a
> way to override it if necessary:
>
> http_config:
> tls_config:
> server_name: hooks.slack.com
>
> The other thing you could try temporarily, just while you debug the
> problem, is:
>
> http_config:
> tls_config:
> insecure_skip_verify: true
>
> If that makes the problem go away, you know for sure it's something to do
> with alertmanager incorrectly validating the certificate from slack. if it
> doesn't, then you at least don't need to keep barking up the wrong tree.
>
--
You received this message because you are subscribed to the Google Groups
"Prometheus Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/prometheus-users/bc654b90-51a9-49ae-9f28-2a5ef7615f5c%40googlegroups.com.
