prometheus
Add support for AIA (Authority Information Access)
Can we please look at adding support for AIA (Authority Information Access)
https://www.rfc-editor.org/rfc/rfc3280#section-4.2.2.1
can you share more on how it would be useful to the users? and the possible use-cases it will solve?
Sure hopefully this helps
Monitoring endpoints secured by https certificate but dont have the intimedatory certs within the chain e.g. Blackbox monitoring third party private API's to report on their availablity that are configured with public certifcates that dont have the intimidatory certs within the chain, popular web browsers and stacks use AIA to pull these certs and connect without connection errors however blackbox fails to connect without ignoring certificate errors.
can you share some examples of websites that blackbox_exporter fails on? maybe share a check config?
Sure thing so if we use this site as the example
https://incomplete-chain.badssl.com/
From a browser like Chrome this loads fine as AIA is enabled
If we curl or a wget without AIA we get
wget https://incomplete-chain.badssl.com/
Connecting to incomplete-chain.badssl.com (104.154.89.105:443)
wget: note: TLS certificate validation not implemented
wget: got bad TLS record (len:0) while expecting switch to encrypted traffic
wget: error getting response: Connection reset by peer
curl https://incomplete-chain.badssl.com/
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Due to the missing intermediate cert
NOTE mac has AIA now on curl so curl will work off mac but from a linux container etc it will fail as above
then in blackbox exporter we have
config:
modules:
http_ok:
prober: http
timeout: 5s
http:
valid_http_versions: ["HTTP/1.1", "HTTP/2.0"]
valid_status_codes: []
follow_redirects: false
preferred_ip_protocol: "ip4" # defaults to "ip6"
ip_protocol_fallback: false # no fallback to "ip6"
then a job in prometheus for
- job_name: http
honor_timestamps: true
track_timestamps_staleness: false
params:
module:
- http_ok
scrape_interval: 1m
scrape_timeout: 10s
scrape_protocols:
- OpenMetricsText1.0.0
- OpenMetricsText0.0.1
- PrometheusText1.0.0
- PrometheusText0.0.4
metrics_path: /probe
scheme: http
enable_compression: true
follow_redirects: true
enable_http2: true
relabel_configs:
- source_labels: [__address__]
separator: ;
target_label: __param_target
replacement: $1
action: replace
- source_labels: [__param_target]
separator: ;
target_label: instance
replacement: $1
action: replace
- separator: ;
target_label: __address__
replacement: prometheus-blackbox-exporter:9115
action: replace
static_configs:
- targets:
- https://incomplete-chain.badssl.com
- https://badssl.com/
The the test for https://badssl.com/ which is fine works as expected but https://incomplete-chain.badssl.com fails as blackbox doesnt support AIA to fill in the incomplete cert
It would make sense to add a flag I think to enable it if its wanted for that module as I can see the argument that just setup certs properly and its not and issue but so many are missing the intermidate certs
Hope thats helpful
I read up more on AIA, and I think it makes sense for browsers to have the support it, but I can't think of the reasons to have a certificate that don't have the intimidatory certs (in cases where you control the target you are probing)
From what I read online, it's generally not recommended to have a cert chain with missing intimidatory certs, but I also understand that you don't always control the targets you probe.
we can consider this, feel free to send a PR but it should be behind the flag, and disabled by default.