Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nginx Plugin Doesn't Accept Self-Signed Certs #2053

Closed
njwhite opened this issue Nov 17, 2016 · 3 comments
Closed

Nginx Plugin Doesn't Accept Self-Signed Certs #2053

njwhite opened this issue Nov 17, 2016 · 3 comments
Labels
feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin
Milestone
1.4.0

Comments

@njwhite
Copy link
Contributor

njwhite commented Nov 17, 2016
edited by timhallinflux
Loading

Bug report

The nginx plugin doesn't allow you to specify a CA cert file to use,

Relevant telegraf.conf:

[[inputs.nginx]]
  ## An array of Nginx stub_status URI to gather stats.
  urls = ["https://myhost:3031/nginx_status"]

System info:

telegraf version: Telegraf v1.1.1 (git: release-1.1.0 94de9dca1fc6efb3a4bf3ec6869c356278c6755a)

uname -a: myhost 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

Steps to reproduce:

  1. Start an nginx server that uses a self-signed cert for SSL connections
  2. Use the nginx plugin to gather metrics from it

Expected behavior:

The plugin gathers metrics from Nginx

Actual behavior:

2016/11/17 09:31:30 E! ERROR in input [inputs.nginx]: Errors encountered: [error making HTTP request to https://myhost:3031/nginx_status: Get https://myhost:3031/nginx_status: x509: certificate signed by unknown authority]
@sparrc sparrc added the feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin label Nov 17, 2016
@sparrc sparrc added this to the Future Milestone milestone Nov 17, 2016
@phemmer
Copy link
Contributor

phemmer commented Jan 28, 2017

Note you can put the cert in the system certs path: /etc/ssl/certs on unix (https://golang.org/src/crypto/x509/root_unix.go#L16)

Not saying the plugin shouldn't be able to load non-system CA certs, just providing it as a possible solution.

@phemmer phemmer mentioned this issue Jan 28, 2017
Closed
@njwhite
Copy link
Contributor Author

njwhite commented Jan 30, 2017

@phemmer thanks - however I don't have root access on the machines I'm running telegraf on, so can't update the system certs. Separately, I don't think skipping SSL validation (#2142) should be encouraged by adding mainline support for it!

@danielnelson danielnelson modified the milestones: 1.3.0, Future Milestone Mar 15, 2017
@danielnelson danielnelson modified the milestones: 1.3.0, 1.4.0 Apr 20, 2017
@bobmshannon
Copy link
Contributor

@njwhite This should be fixed via #2883 which was recently merged, and included in the 1.4.0 release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat Improvement on an existing feature such as adding a new setting/mode to an existing plugin
Projects
None yet
Milestone
1.4.0
Development

No branches or pull requests
6 participants
@njwhite @danielnelson @phemmer @bobmshannon @sparrc @timhallinflux