TLS handshake error

Percona Monitoring and Management (PMM) PMM 1.x
1

i have been update 1.07 v pmm server and client. i found out a TLS errors from pmm logs
how can i fix this ? im connecting to AWS RDS mysql servers.

==> pmm-mysql-metrics-42002.log <==
2016/12/13 21:07:59 http: TLS handshake error from 172.17.0.2:41436: tls: first record does not look like a TLS handshake
2016/12/13 21:08:00 http: TLS handshake error from 172.17.0.2:41528: tls: first record does not look like a TLS handshake
2016/12/13 21:08:00 http: TLS handshake error from 172.17.0.2:41550: tls: first record does not look like a TLS handshake
2016/12/13 21:08:01 http: TLS handshake error from 172.17.0.2:41616: tls: first record does not look like a TLS handshake

thanks .!

2

This is normal and can be ignored.

Those errors are triggered when you run pmm-admin check-network to check whether Prometheus endpoints are running HTTPS/TLS (the appropriate column).

3

Weber, that seems odd since most of my PMM clients do NOT have even one of these errors listed in any of their PMMM log files. I do see on new clients though with this TLS handshake error repeat in all logs every second, and this happens immediately and without running ‘check-network’.

The common items I see are:

  1. That the clients that don’t have these entries are on Ubuntu 16.04 using systemd, and the ones that have these entries are on Ubuntu 14.04 using Upstart.
  2. Clients logging the errors are new PMM clients within the last couple weeks.

So I think there’s more to these errors and they probably shouldn’t be ignored.

4
  • Automatically generate self-signed SSL certificate to protect metric services with HTTPS/TLS by default (requires re-adding services, see “check-network” output).

This means that newerly created services (using pmm-admin v1.0.7) are enabled for TLS by default.
Existing, previously added services are left on http, thus no TLS attempt check when running pmm-admin check-network.

When service is enabled for TLS, we trigger a check like https://1.2.3.4:123 and do not establish a real connection, thus it results in the error which do not affect anything.

5

Hmm, yes I see the new clients(1.0.7) use TLS, but the PMM server doesn’t seem to leverage this, and instead tries with no encryption. So all new clients I add, the PMM server is unable to query since the client is ONLY listening by “default” over TLS. Is there a way to change the Prometheus Targets from using http to https?

6

I had a similar question. I am using 1.0.7 for both server and client and the check-network options lists the two metric as running with TLS - even though I never specified that option - so I’m not sure if it is or not using tls.

7

johnpitton, please upgrade pmm-server to 1.0.7. Looks like you are using 1.0.6 or older with 1.0.7 client.

1.0.7 client creates TLS enabled services by default.
1.0.7 server supports both TLS enabled and previously added http services. 1.0.6 or older server does not support TLS enabled services.