postgres_exporter icon indicating copy to clipboard operation
postgres_exporter copied to clipboard
verified publisher icon prometheus-community

exporter not working with ssl certificates

Open cah-jyoti-prakash opened this issue 5 years ago • 7 comments

I am not able to connect. FYI - I need to use ssl "sslmode=verify-ca sslrootcert=server-ca.pem sslcert=client-cert.pem sslkey=client-key.pem"

I can login to my psotgres using my credentials and above mentioned certificate through pgadmin client but not through exporter, also exporter does not through any error just info message

Command I run is: docker run -v C:\mycert:/etc/ssl/certs --net=host -e DATA_SOURCE_NAME="postgresql://postgres:[email protected]:5432/postgres?sslmode=require" wrouesnel/postgres_exporter time="2021-02-17T06:01:03Z" level=info msg="Starting Server: :9187" source="postgres_exporter.go:1825"

cah-jyoti-prakash avatar Feb 17 '21 06:02 cah-jyoti-prakash

I am trying this on GCP cloud SQL postgres

cah-jyoti-prakash avatar Feb 17 '21 17:02 cah-jyoti-prakash

tried this but did not work, :-( docker run -v C:\mycert:/etc/ssl/certs --net=host -eDATA_SOURCE_NAME="postgresql://postgres:[email protected]:5432/postgres?sslmode=verify-ca&sslrootcert=/etc/ssl/certs/server-ca.pem&sslcert=/etc/ssl/certs/client-cert.pem&sslkey=/etc/ssl/certs/client-key.pem" wrouesnel/postgres_exporter

cah-jyoti-prakash avatar Feb 17 '21 20:02 cah-jyoti-prakash

I'm having an issue that may be the same. I am trying to authenticate using certificates with the following DATA_SOURCE_NAME: postgresql://<USER>@<HOST>:5432/<DB_NAME>?ssl=true&sslmode=verify-full&sslrootcert=cachain.pem&sslcert=client_chain.pem&sslkey=client_key.pem

However it seems that the exporter is still attempting to authenticate using a password rather than with certificates: INFO[9366] Error opening connection to database (postgresql://<USER>@<HOST>:5432/<DB_NAME>?ssl=true&sslmode=verify-full&sslrootcert=cachain.pem&sslcert=client_chain.pem&sslkey=client_key.pem): pq: password authentication failed for user "<USER>" source="postgres_exporter.go:1070"

I also see the same behaviour with sslmode=require and sslmode=verify-ca.

Additionally I am able to connect if I provide a valid password in the string with: postgresql://<USER>:<PASSWORD>@<HOST>:5432/<DB_NAME>?ssl=true&sslmode=verify-full&sslrootcert=cachain.pem&sslcert=client_chain.pem&sslkey=client_key.pem

I have confirmed that the client is validating the DB certificates successfully.

LukeStanislawski avatar Aug 05 '21 12:08 LukeStanislawski

i am also facing authentication issues.

I want to configure SSL and Authentication between PostgresSQL expoter and Prometheus . Can anyone help in this

amleshk66 avatar Jun 06 '22 07:06 amleshk66

Has anyone been able to get this to work with TLS and sslmode=verify-ca?

bitstreambiker avatar Jan 18 '23 14:01 bitstreambiker

Looking at the code, it looks like the exporter is built with the idea to support multiple auth modules but only userpass is supported today, as far as I can tell.

https://github.dev/prometheus-community/postgres_exporter/blob/44aab362f065cd537b21cd01dc779ef0cb04d14c/config/config.go#L45-L50

https://github.dev/prometheus-community/postgres_exporter/blob/44aab362f065cd537b21cd01dc779ef0cb04d14c/cmd/postgres_exporter/probe.go#L39-L61

stewartshea avatar Feb 17 '23 14:02 stewartshea

Guys, I am able to connect the exporter to PG via tls, but I am using Grafana-agent instead of native PG exporter, here is my way:

data_source_names:
  - "postgresql://<pg hostname>:<port>/<dbname>?sslmode=require&sslrootcert=<path to ca>&sslcert=<path to user-to-connect-pg cert>&sslkey=<path to user-to-connect-pg key>"

duj4 avatar May 25 '23 07:05 duj4