Thank Cameron Kerr, I follow https://groups.google.com/d/msg/prometheus-users/7SzbGIWpiD4/kwVEG8blBAAJ have been solve the issue.
在 2020年3月25日星期三 UTC+8上午9:42:06,Cameron Kerr写道: > > From the error message, it would appear that you are communicating via the > IP and not the DNS name. You should communicate using the DNS name. If you > really want to communicate by IP (why? if DNS stability is a concern, use > /etc/hosts or similar), then you would need to have an IP type of entry in > the name (probably in addition to the DNS name). > > Having IPs in the certificate is not recommended (even deprecated, I > think) in CA certificates, and I wouldn't trust browsers to honour them. > Cf: https://www.geocerts.com/support/ip-address-in-ssl-certificate, which > discusses some of the pitfalls, although you may well decide that is not > valid for your deployment. > > This is like creating a self-signed certificate with a Subject Alternate > Name (aka, a SAN cert). This will allow you to put other names / aliases > into the certificate. > > However, the best thing would be to communicate using the hostname; or > turn of validation if you are comfortable with that, and can be bothered > supporting that (in case other things want to communicate with Prometheus, > such as Grafana or any ad-hoc reporting) > > When creating a self-signed certificate, you can include a > Subject-Alternate-Name (SAN). It appears to be more of requirement these > days according to the CA Browser forum, or so I'm led to believe by the > people who provide us with certificates. > > Here's some bash commands you can use (from my own notes) > > Tested for RHEL5, RHEL6, and RHEL7 (creating a self-signed certificate > with a SAN) > > First copy and edit the BASE, CN and SANs, and paste those into a > terminal, then paste the command. > > BASE=test > CN="/CN=test.example.com" > SANs="DNS:test.example.com,IP:192.168.12.23" > > openssl req -x509 -nodes -newkey rsa:2048 -days 3650 -sha256 \ > -keyout /etc/pki/tls/private/$BASE-selfsigned.key \ > -out /etc/pki/tls/certs/$BASE-selfsigned.cert \ > -reqexts SAN -extensions SAN \ > -subj "$CN" \ > -config <( > cat /etc/pki/tls/openssl.cnf > printf "[SAN]\nsubjectAltName=$SANs" > > I hope you find that useful. > > Cheers, > Cameron > > On Thursday, 19 March 2020 03:45:41 UTC+13, Jakub Jakubik wrote: >> >> do you have the target configured with the ip address or the domain? is >> the domain in the cert? with curl do you use the ip or hostname? >> >> On Wed, Mar 18, 2020 at 12:35 PM Jack Chew <jack...@gmail.com> wrote: >> >>> Hi team, >>> >>> >>> I config prometheus configere file TLS path will arise Get >>> https://ip:9100/metrics: x509: cannot validate certificate for ip >>> because it doesn't contain any IP SANs, But i try use curl is work. >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Prometheus Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to promethe...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/prometheus-users/577749e3-a177-46d2-b05f-a2c8b3697dbc%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Kuba Jakubik >> >> SRE Tech Lead >> >> Netguru - Building software for world changers >> jakub....@netguru.com >> netguru.com >> [image: facebook] <https://www.facebook.com/netguru> [image: twitter] >> <https://twitter.com/netguru> [image: linkedin] >> <https://www.linkedin.com/company/netguru/> >> > -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to prometheus-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/d667df07-f3b4-45fd-b7ea-a48a45b9f696%40googlegroups.com.
