telegraf icon indicating copy to clipboard operation
telegraf copied to clipboard
verified publisher icon influxdata

x509_cert plugin - Support PostgreSQL Certificate Check

Open sil-zh opened this issue 9 months ago • 1 comments

Use Case

Our company does the SSL-Certificate Monitoring from a centeral telegraf instance. Our plan is to monitor all certificates from there. At the Moment, it is not possible to check postgres or pgpool instances with SSL certs.

The idea of this feature request is it, to monitor SSL Certificates from Postgres via URL instead of file.

Expected behavior

The idea would be, to have the chance to check for postgreSQL Certificates

[[inputs.x509_cert]]
  ## List certificate sources, support wildcard expands for files
  ## Prefix your entry with 'file://' if you intend to use relative paths
  sources = [ "postgresql://postgresdb.mydomain.com:5432"]

this sould result in

x509_cert,common_name=postgresdb.mydomain.com,country=US,locality=Los\ Angeles,organization=Internet\ Corporation\ for\ Assigned\ Names\ and\ Numbers,organizational_unit=Technology,province=California,ocsp_stapled=no,source=https://example.org:443,verification=invalid age=20219055i,enddate=1606910400i,expiry=43328144i,startdate=1543363200i,verification_code=1i,verification_error="x509: certificate signed by unknown authority" 1563582256000000000

Actual behavior

If we add Postgres, it does not work on any schema.

here are some examples:

[inputs.x509_cert] Error in plugin: cannot get SSL cert "postgresql://postgresdb.mydomain.com:5432": unsupported scheme "postgresql" in location postgresql://postgresdb.mydomain.com:5432
[inputs.x509_cert] Error in plugin: cannot get SSL cert "tcp://postgresdb.mydomain.com:5432": EOF
[inputs.x509_cert] Error in plugin: cannot get SSL cert "udp://postgresdb.mydomain.com:5432": handshake error: read udp x.x.x.x:38276->x.x.x.x:5432: read: no route to host

Additional info

No response

sil-zh avatar Mar 10 '25 12:03 sil-zh

I tested and I was able to monitor my PostgreSQL server certificate using tcp scheme. I'm using telegraf version 1.34.3 and PostgreSQL 17. Here is my configuration.

[[inputs.x509_cert]]
  sources = [ "tcp://postgresdb.mydomain.com:5432"]

Make sure your telegraf instance is able to access the PostgreSQL machine port 5432 and that have you have ssl = on in your postgresql.conf. I got that EOF error before I enabled the SSL.

saurla avatar May 22 '25 09:05 saurla