Let's Encrypt Certificates - Unknown Authority?

I’m trying to set up pmm-client to talk to a pmm server that uses a freshly minted cert from letsencrypt, and I am getting this:

Unable to connect to PMM server by address: pmm.shatteredsilicon.net:443
Get https://pmm.shatteredsilicon.net:443/qan-api/ping: x509: certificate signed by unknown authority

Browsers have no problem connecting. Not sure of it matters, but the way I have it set up is apache on the docker host is responding on port 443, terminating ssl, and then proxying the request to the pmm docker container.

Is this a known issue? Is there a quick and easy workaround, e.g. passing an extra CA certificate via docker -v to the container?

Hi gordan

Sorry this post didn’t get any attention - I’ve escalated it internally, and you should get some Engineering eyes on it shortly! Thanks,

Hi gordan

While we haven’t implemented this feature nor is it supported, you might find the following JIRA feature request helpful - let us know your outcome!

Hi Gordan,

One thing to check, make sure your Let’s Encrypt Intermediate CA Certificate is included in your trusted CA certificates in [B]


I am not actually using nginx for handling SSL. I am using Apache on the host to terminate SSL and proxy the connection to the docker container. Everything else works just fine with the https endpoint this way, but pmm-admin emits the error saying that it doesn’t recognise the signing authority. It is only pmm-admin that seems to have this problem.

Hi gordan
If you have the opportunity we’d value you submitting a feature request in order to address this concern with pmm-admin. Thank you!