Thank Cameron Kerr, I follow https://groups.google.com/d/msg/prometheus-users/7SzbGIWpiD4/kwVEG8blBAAJ have been solve the issue.
在 2020年3月25日星期三 UTC+8上午9:42:06,Cameron Kerr写道: > > From the error message, it would appear that you are communicating via the > IP and not the DNS name. You should communicate using the DNS name. If you > really want to communicate by IP (why? if DNS stability is a concern, use > /etc/hosts or similar), then you would need to have an IP type of entry in > the name (probably in addition to the DNS name). > > Having IPs in the certificate is not recommended (even deprecated, I > think) in CA certificates, and I wouldn't trust browsers to honour them. > Cf: https://www.geocerts.com/support/ip-address-in-ssl-certificate, which > discusses some of the pitfalls, although you may well decide that is not > valid for your deployment. > > This is like creating a self-signed certificate with a Subject Alternate > Name (aka, a SAN cert). This will allow you to put other names / aliases > into the certificate. > > However, the best thing would be to communicate using the hostname; or > turn of validation if you are comfortable with that, and can be bothered > supporting that (in case other things want to communicate with Prometheus, > such as Grafana or any ad-hoc reporting) > > When creating a self-signed certificate, you can include a > Subject-Alternate-Name (SAN). It appears to be more of requirement these > days according to the CA Browser forum, or so I'm led to believe by the > people who provide us with certificates. > > Here's some bash commands you can use (from my own notes) > > Tested for RHEL5, RHEL6, and RHEL7 (creating a self-signed certificate > with a SAN) > > First copy and edit the BASE, CN and SANs, and paste those into a > terminal, then paste the command. > > BASE=test > CN="/CN=test.example.com" > SANs="DNS:test.example.com,IP:192.168.12.23" > > openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 \ > -keyout /etc/pki/tls/private/$BASE-selfsigned.key \ > -out /etc/pki/tls/certs/$BASE-selfsigned.cert \ > -reqexts SAN -extensions SAN \ > -subj "$CN" \ > -config <( > cat /etc/pki/tls/openssl.cnf > printf "[SAN]\nsubjectAltName=$SANs" > > I hope you find that useful. > > Cheers, > Cameron > > On Thursday, 19 March 2020 03:45:41 UTC+13, Jakub Jakubik wrote: >> >> do you have the target configured with the ip address or the domain? is >> the domain in the cert? with curl do you use the ip or hostname? >> >> On Wed, Mar 18, 2020 at 12:35 PM Jack Chew <[email protected]> wrote: >> >>> Hi team, >>> >>> >>> I config prometheus configere file TLS path will arise Get >>> https://ip:9100/metrics: x509: cannot validate certificate for ip >>> because it doesn't contain any IP SANs, But i try use curl is work. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Prometheus Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Kuba Jakubik >> >> SRE Tech Lead >> >> Netguru - Building software for world changers >> [email protected] >> netguru.com >> [image: facebook] <https://www.facebook.com/netguru> [image: twitter] >> <https://twitter.com/netguru> [image: linkedin] >> <https://www.linkedin.com/company/netguru/> >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d667df07-f3b4-45fd-b7ea-a48a45b9f696%40googlegroups.com.
