Not the answer you need?
Register and ask your own question!

pmm doesn't trust my Thawte certificate

krissfrkrissfr ContributorCurrent User Role Beginner
Hello,

i have setup a pmm-server ( with the 1.1.1 docker image) with my wildcard SSL certificate buy whith Thawte and the user/password protection.
Access to the Pmm-server web pages is OK and the web browser trust the Thawte certificate, but when i try to connect a pmm-client to the pmm-server, i always have the following message :
Looks like PMM server running with self-signed SSL certificate.
Use 'pmm-admin config' with --server-insecure-ssl flag.

Why Pmm doesn't trust my Thawte certificate ?

ps: my pmm-client is 1.0.5, does it matter ?

Regards,

Krissfr

Comments

  • MykolaMykola Percona Percona Staff Role
    Hi Krissfr,


    1. do you use domain name or IP address in command?

    2. can you run the following command on pmm client side?
    curl https://username:password@example.com/
    
    What output do you see?
    expected result: no certificate errors, just html code (landing page)
  • krissfrkrissfr Contributor Current User Role Beginner
    Hi Mykola,

    I have tried with IP address and domaine name but have the same result. I also tried with the last pmm-client package 1.1.1.

    This is the curl result :

    curl https://myuser:[email protected]:443/
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.




    As suggested i have read the http://curl.haxx.se/docs/sslcerts.html web page and understand curl desn't have all CA in his CA bundle (but a new web browser have them).

    Maybe you could extract a CA bundle from a new web broswer and put it in the next pmm-client package (as explain in the last point of the web page) ?

    Regards,

    Krissfr
  • MykolaMykola Percona Percona Staff Role
    please use only domain name, I think IP address is not added to certificate as alias.

    regular browsers can fetch certificate chain from certificate issuer, but linux tools don't.
    It is not PMM issue, it is general linux behaviour.

    It is possible to place full certificate chain into file.
    can you add certificates from the following page after you certificate, restart container and run again?
    https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=INFO1374&actp=RSS&viewlocale=en_US
  • krissfrkrissfr Contributor Current User Role Beginner
    I did all steps and now i have a different message :

    pmm-admin config --server pmm-server.my.super.domain.net:443 --server-user myuser --server-password mypassword --server-ssl
    Unable to connect to PMM server by address: pmm-server.my.super.domain.net:443
    Get https://myuser:[email protected]:443: x509: certificate signed by unknown authority

    * Check if the configured address is correct.
    * If server is running on non-default port, ensure it was specified along with the address.
    * If server is enabled for SSL or self-signed SSL, enable the corresponding option.
    * You may also check the firewall settings.

    the curl test :
    curl https://myuser:[email protected]
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a "bundle"
    of Certificate Authority (CA) public keys (CA certs). If the default
    bundle file isn't adequate, you can specify an alternate file
    using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
    the bundle, the certificate verification probably failed due to a
    problem with the certificate (it might be expired, or the name might
    not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
    the -k (or --insecure) option.


    Regards,

    Krissfr
  • krissfrkrissfr Contributor Current User Role Beginner
    I finally add this one https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=INFO2049 in the server.crt and all work fine now ! :)

    Thank you for your help Mykola !

    Regards,

    Krissfr
This discussion has been closed.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.