pmm doesn't trust my Thawte certificate

Percona Monitoring and Management (PMM) PMM 1.x
1

Hello,

i have setup a pmm-server ( with the 1.1.1 docker image) with my wildcard SSL certificate buy whith Thawte and the user/password protection.
Access to the Pmm-server web pages is OK and the web browser trust the Thawte certificate, but when i try to connect a pmm-client to the pmm-server, i always have the following message :
Looks like PMM server running with self-signed SSL certificate.
Use ‘pmm-admin config’ with --server-insecure-ssl flag.

Why Pmm doesn’t trust my Thawte certificate ?

ps: my pmm-client is 1.0.5, does it matter ?

Regards,

Krissfr

2

Hi Krissfr,

  1. do you use domain name or IP address in command?

  2. can you run the following command on pmm client side?

curl https://username:password@example.com/

What output do you see?
expected result: no certificate errors, just html code (landing page)

3

Hi Mykola,

I have tried with IP address and domaine name but have the same result. I also tried with the last pmm-client package 1.1.1.

This is the curl result :

curl https://myuser:mypass@pmm-server.my.super.domain.net:443/
curl: (60) Peer’s Certificate issuer is not recognized.
More details here: [url]http://curl.haxx.se/docs/sslcerts.html[/url]

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

As suggested i have read the [url]http://curl.haxx.se/docs/sslcerts.html[/url] web page and understand curl desn’t have all CA in his CA bundle (but a new web browser have them).

Maybe you could extract a CA bundle from a new web broswer and put it in the next pmm-client package (as explain in the last point of the web page) ?

Regards,

Krissfr

4

please use only domain name, I think IP address is not added to certificate as alias.

regular browsers can fetch certificate chain from certificate issuer, but linux tools don’t.
It is not PMM issue, it is general linux behaviour.

It is possible to place full certificate chain into file.
can you add certificates from the following page after you certificate, restart container and run again?
[url]https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=INFO1374&actp=RSS&viewlocale=en_US[/url]

5

I did all steps and now i have a different message :

pmm-admin config --server pmm-server.my.super.domain.net:443 --server-user myuser --server-password mypassword --server-ssl
Unable to connect to PMM server by address: pmm-server.my.super.domain.net:443
Get https://myuser:mypassword@pmm-server.my.super.domain.net:443: x509: certificate signed by unknown authority

  • Check if the configured address is correct.
  • If server is running on non-default port, ensure it was specified along with the address.
  • If server is enabled for SSL or self-signed SSL, enable the corresponding option.
  • You may also check the firewall settings.

the curl test :
curl https://myuser:mypassword@pmm-server.my.super.domain.net
curl: (60) Peer’s Certificate issuer is not recognized.
More details here: [url]http://curl.haxx.se/docs/sslcerts.html[/url]

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

Regards,

Krissfr

6

I finally add this one [url]https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=INFO2049[/url] in the server.crt and all work fine now ! :slight_smile:

Thank you for your help Mykola !

Regards,

Krissfr