Not the answer you need?
Register and ask your own question!

TLS handshake error

scar2yjsscar2yjs ContributorCurrent User Role Beginner
i have been update 1.07 v pmm server and client. i found out a TLS errors from pmm logs
how can i fix this ? im connecting to AWS RDS mysql servers.

==> pmm-mysql-metrics-42002.log <==
2016/12/13 21:07:59 http: TLS handshake error from 172.17.0.2:41436: tls: first record does not look like a TLS handshake
2016/12/13 21:08:00 http: TLS handshake error from 172.17.0.2:41528: tls: first record does not look like a TLS handshake
2016/12/13 21:08:00 http: TLS handshake error from 172.17.0.2:41550: tls: first record does not look like a TLS handshake
2016/12/13 21:08:01 http: TLS handshake error from 172.17.0.2:41616: tls: first record does not look like a TLS handshake


thanks .!

Comments

  • weberweber Advisor Inactive User Role Beginner
    This is normal and can be ignored.

    Those errors are triggered when you run `pmm-admin check-network` to check whether Prometheus endpoints are running HTTPS/TLS (the appropriate column).
  • johnpittonjohnpitton Entrant Current User Role Supporter
    Weber, that seems odd since most of my PMM clients do NOT have even one of these errors listed in any of their PMMM log files. I do see on new clients though with this TLS handshake error repeat in all logs every second, and this happens immediately and without running 'check-network'.

    The common items I see are:
    1) That the clients that don't have these entries are on Ubuntu 16.04 using systemd, and the ones that have these entries are on Ubuntu 14.04 using Upstart.
    2) Clients logging the errors are new PMM clients within the last couple weeks.

    So I think there's more to these errors and they probably shouldn't be ignored.
  • weberweber Advisor Inactive User Role Beginner
    * Automatically generate self-signed SSL certificate to protect metric services with HTTPS/TLS by default (requires re-adding services, see "check-network" output).

    This means that newerly created services (using pmm-admin v1.0.7) are enabled for TLS by default.
    Existing, previously added services are left on http, thus no TLS attempt check when running `pmm-admin check-network`.

    When service is enabled for TLS, we trigger a check like https://1.2.3.4:123 and do not establish a real connection, thus it results in the error which do not affect anything.
  • johnpittonjohnpitton Entrant Current User Role Supporter
    Hmm, yes I see the new clients(1.0.7) use TLS, but the PMM server doesn't seem to leverage this, and instead tries with no encryption. So all new clients I add, the PMM server is unable to query since the client is ONLY listening by "default" over TLS. Is there a way to change the Prometheus Targets from using http to https?
  • rjenningsrjennings Contributor Inactive User Role Beginner
    I had a similar question. I am using 1.0.7 for both server and client and the check-network options lists the two metric as running with TLS - even though I never specified that option - so I'm not sure if it is or not using tls.
  • weberweber Advisor Inactive User Role Beginner
    johnpitton, please upgrade pmm-server to 1.0.7. Looks like you are using 1.0.6 or older with 1.0.7 client.

    1.0.7 client creates TLS enabled services by default.
    1.0.7 server supports both TLS enabled and previously added http services. 1.0.6 or older server does not support TLS enabled services.
This discussion has been closed.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.