postgres_exporter icon indicating copy to clipboard operation
postgres_exporter copied to clipboard
verified publisher icon prometheus-community

[BUG] Cannot run `healthcheck` with `wget` for `postgres-exporter` when running with TLS

Open pasquale95 opened this issue 3 weeks ago • 2 comments

Bug description

Hi, I open this bug as sibling of the very same bug I opened for node-exporter (https://github.com/prometheus/node_exporter/issues/3496).

As stated also there, I'm trying to run a Postgres Exporter server with TLS using prometheuscommunity/postgres-exporter:latest. postgres-exporter works just fine with TLS passing the necessary configuration through the --web.config.file option. The problem is instead setting the healthcheck command, where I use wget.

Unfortunately the image uses a Busybox version (busybox:1.36.1) which is well-known to have a faulty wget, which doesn't implement TLS verification correctly (see https://github.com/docker-library/busybox/issues/162). The result is that the healthcheck command:

# postgres_exporter runs on port 2110
wget -q --spider --no-check-certificate https://localhost:2110/metrics

fails with the message:

wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

This error has been solved with busybox:1.37. So, I would encourage to update quay.io/prometheus/busybox-${OS}-${ARCH}:latest to use this version and provide a newer prometheuscommunity/postgres-exporter:latest image.

What did you do?

Tried to run Postgres Exporter with TLS and set a valid healthcheck command.

What did you expect to see?

The healthcheck run with wget -q --spider --no-check-certificate https://localhost:9116/metrics to succeed.

What did you see instead? Under which circumstances?

The healthcheck command fails:

wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

Environment

  • System information:
uname -srm
Linux 5.14.0-611.7.1.el9_7.x86_64 x86_64
  • postgres_exporter version:
/ # postgres_exporter --version
postgres_exporter, version 0.18.1 (branch: HEAD, revision: 320b684f3dcd3f09b6e694e43f9b389b1a8199e5)
  build user:       root@83cf77f7d3ab
  build date:       20250929-17:16:35
  go version:       go1.24.7
  platform:         linux/amd64
  tags:             unknown
  • postgres_exporter flags:
--web.listen-address=:2110,
--config.file=/var/config/postgres_exporter.yaml
--web.config.file=/var/config/web-config.yaml
  • Logs:
2025/12/02 11:00:37 http: TLS handshake error from 127.0.0.1:41508: tls: invalid ClientKeyExchange message

pasquale95 avatar Dec 02 '25 11:12 pasquale95

I tested the wget command in quay.io/prometheus/busybox-linux-amd64:latest and it works fine. The issue exists with the wget in the prometheuscommunity/postgres-exporter:latest . This might be caused by Docker using cached images during the build process.

weidongkl avatar Dec 04 '25 08:12 weidongkl

Perhaps the docker build command in the Makefile should use the --no-cache and --pull flags.

weidongkl avatar Dec 04 '25 08:12 weidongkl