>From the error message, it would appear that you are communicating via the IP and not the DNS name. You should communicate using the DNS name. If you really want to communicate by IP (why? if DNS stability is a concern, use /etc/hosts or similar), then you would need to have an IP type of entry in the name (probably in addition to the DNS name).
Having IPs in the certificate is not recommended (even deprecated, I think) in CA certificates, and I wouldn't trust browsers to honour them. Cf: https://www.geocerts.com/support/ip-address-in-ssl-certificate, which discusses some of the pitfalls, although you may well decide that is not valid for your deployment. This is like creating a self-signed certificate with a Subject Alternate Name (aka, a SAN cert). This will allow you to put other names / aliases into the certificate. However, the best thing would be to communicate using the hostname; or turn of validation if you are comfortable with that, and can be bothered supporting that (in case other things want to communicate with Prometheus, such as Grafana or any ad-hoc reporting) When creating a self-signed certificate, you can include a Subject-Alternate-Name (SAN). It appears to be more of requirement these days according to the CA Browser forum, or so I'm led to believe by the people who provide us with certificates. Here's some bash commands you can use (from my own notes) Tested for RHEL5, RHEL6, and RHEL7 (creating a self-signed certificate with a SAN) First copy and edit the BASE, CN and SANs, and paste those into a terminal, then paste the command. BASE=test CN="/CN=test.example.com" SANs="DNS:test.example.com,IP:192.168.12.23" openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 \ -keyout /etc/pki/tls/private/$BASE-selfsigned.key \ -out /etc/pki/tls/certs/$BASE-selfsigned.cert \ -reqexts SAN -extensions SAN \ -subj "$CN" \ -config <( cat /etc/pki/tls/openssl.cnf printf "[SAN]\nsubjectAltName=$SANs" I hope you find that useful. Cheers, Cameron On Thursday, 19 March 2020 03:45:41 UTC+13, Jakub Jakubik wrote: > > do you have the target configured with the ip address or the domain? is > the domain in the cert? with curl do you use the ip or hostname? > > On Wed, Mar 18, 2020 at 12:35 PM Jack Chew <[email protected] > <javascript:>> wrote: > >> Hi team, >> >> >> I config prometheus configere file TLS path will arise Get >> https://ip:9100/metrics: x509: cannot validate certificate for ip >> because it doesn't contain any IP SANs, But i try use curl is work. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Prometheus Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com >> >> <https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kuba Jakubik > > SRE Tech Lead > > Netguru - Building software for world changers > [email protected] <javascript:> > netguru.com > [image: facebook] <https://www.facebook.com/netguru> [image: twitter] > <https://twitter.com/netguru> [image: linkedin] > <https://www.linkedin.com/company/netguru/> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/410378bc-5def-4066-a575-01b7020e36c7%40googlegroups.com.
