Need help setting up SSL

I’ve been asked to set up ssl on a percona instance in AWS. I am not a percona user so I am not very familiar with the functionality and terms used. This should be a very easy answer for someone who understands what percona is trying to do.

I followed the instructions here: Secure - Percona Monitoring and Management

and copied my valid cert into /srv/nginx/certicate.crt and key into /srv/nginx/certificate.key - then I restarted.

And here’s where my ignorance really shows - the next step is to register clients. I am to run pmm-admin config --server-url=https://:@ when I attempted to put in the admin user and the IP of the local server I got: Failed to register pmm-agent on PMM Server: Unauthorized
Please check username and password.

I am logged in as root.

I am registering clients - so perhaps I need to use the IP of the DBA who is using percona? Or was I correct to use the IP of the server hosting percona. Any help is appreciated here. Thanks

Hi, it is not clear to me if you are trying to set up SSL for Percona Monitoring & Management (PMM) or for Percona Server for MySQL? can you clarify exactly what you are trying to accomplish?

Hey @bruceclegg,

pmm-admin config --server-url=https://:@

I sure hope that when you ran this, you put the actual parameters in that URL. For the record, this is the format:

pmm-admin config --server-url=https://USERNAME:PASSWORD@IP_ADDR_OF_PMM

Substitute the proper values. You need the username and password of PMM. Who set up your PMM server? It’s possible the admin account has not been activated and you need to visit https://IP_ADDR_OF_PMM first and activate the admin account.

Thank you for your quick reply.

I did use real values - pmm-admin config --server-url=https://admin:<adminpassword>@10.X.X.X

where 10.X.X.X is the private address of the percona server. (I also tried the public IP – same results)

I believe the admin account has been set up - I can use it to access the https:///graph/login - and I am sure I used the correct password.

It might help me if I understood the purpose of registering the clients. I can get to the application using https - what does registering the clients do for me?

The DBA’s access http:///graph/login – to be honest I’m not sure what they do here. They are in a different time zone so I haven’t been able to ask them yet. We want to be able to allow them ssl traffic so they can reach the site without being on the vpn.

That is the frontend web UI for Percona Monitoring and Management. The DBAs will use this to monitor the MySQL/PostgreSQL/Mongo databases (whichever ones you have).

Can you verify that you installed PMM client v2? Also verify the version in the web UI. Both should be v2. If you installed the v1 client, that’s the issue. Uninstall it and install pmm-client2

You first register each server/node/host with PMM. This allows PMM to start monitoring CPU/disk/network/memory for that server. Then, you will add mysql (or whichever database) monitoring like this:

pmm-client add mysql --username XX --password XX 

That will then start MySQL monitoring.

Thank you for your answers - they helped a great deal. DBA’s are happy with their encrypted access.