categraph、nightingale使用tls异常

[bboy-free]

Question and Steps to reproduce

1.是否有详细的tls配置文档，包含nightingale服务端和categraph客户端的具体配置
2.按照目前的官方文档中的描述使用自签证书配置tls异常
3.目前官方的tls配置文档过于笼统

Relevant logs and configurations

客户端配置
use_tls = true
tls_min_version = "1.2"
tls_ca = "/data/certs/ca.crt"
tls_cert = "/data/certs/client.crt"
tls_key = "/data/certs/client.key"
## Use TLS but skip chain & host verification
insecure_skip_verify = true

服务端配置
UseTLS = true
TLSCA = "/data/certs/ca.crt"
TLSCert = "/data/certs/server.crt"
TLSKey = "/data/certs/server.key"
InsecureSkipVerify = true

服务端报错：
2025/03/31 17:05:38 server.go:3489: http: TLS handshake error from 172.22.xx.xx:58622: remote error: tls: bad certificate
客户端报错：
Mar 31 16:41:38 iZj6cht59ryg56qharln72Z categraf: 2025/03/31 16:41:38 writer.go:66: W! post to https://172.22.xx.xx:17000/prometheus/v1/write got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority

证书链验证正常：
openssl verify -CAfile ca.crt server.crt client.crt 
server.crt: OK
client.crt: OK

Version

v8.0.0-beta.9

[UlricQin]

把服务端、客户端的配置都贴全看看

[bboy-free]

服务端 配置

[Global]
RunMode = "release"

[Log]
Dir = "logs"
Level = "DEBUG"
Output = "stdout"

[HTTP]
Host = "0.0.0.0"
Port = 17000
CertFile = "/data/certs/server.crt"
KeyFile = "/data/certs/server.key"
PrintAccessLog = false
PProf = true
ExposeMetrics = true
ShutdownTimeout = 30
MaxContentLength = 67108864
ReadTimeout = 20
WriteTimeout = 40
IdleTimeout = 120

[HTTP.ShowCaptcha]
Enable = false

[HTTP.APIForAgent]
Enable = true

[HTTP.APIForService]
Enable = false
[HTTP.APIForService.BasicAuth]
user001 = "ccc26da7b9aba533cbb263a36c07dcc5"

[HTTP.JWTAuth]
AccessExpired = 1500
RefreshExpired = 10080
RedisKeyPrefix = "/jwt/"

[HTTP.ProxyAuth]
Enable = false
HeaderUserNameKey = "X-User-Name"
DefaultRoles = ["Standard"]

[HTTP.RSA]
OpenRSA = false

[DB]
DBType = "sqlite"

DSN = "n9e.db"
Debug = false
MaxLifetime = 7200
MaxOpenConns = 150
MaxIdleConns = 50

[Redis]

Address = "127.0.0.1:6379"

RedisType = "miniredis"

[Alert]
[Alert.Heartbeat]
IP = ""
Interval = 1000
EngineName = "default"

[Center]
MetricsYamlFile = "./etc/metrics.yaml"
I18NHeaderKey = "X-Language"

[Center.AnonymousAccess]
PromQuerier = true
AlertDetail = true

[Pushgw]
LabelRewrite = true
ForceUseServerTS = true

[[Pushgw.Writers]]
Url = "https://172.xx.xx.xx:17000/api/v1/write"
BasicAuthUser = ""
BasicAuthPass = ""
Headers = ["X-From", "n9e"]
Timeout = 10000
DialTimeout = 3000
TLSHandshakeTimeout = 30000
ExpectContinueTimeout = 1000
IdleConnTimeout = 90000
KeepAlive = 30000
MaxConnsPerHost = 0
MaxIdleConns = 100
MaxIdleConnsPerHost = 100
UseTLS = true
TLSCA = "/data/certs/ca.crt"
TLSCert = "/data/certs/server.crt"
TLSKey = "/data/certs/server.key"
InsecureSkipVerify = true

客户端配置

[global]
print_configs = false

hostname = ""

omit_hostname = false

precision = "ms"

interval = 15

providers = ["local"]

disable_usage_report = true

[global.labels]

[log]
file_name = "stdout"

max_size = 100
max_age = 1
max_backups = 1
local_time = true
compress = false

[writer_opt]
batch = 1000
chan_size = 1000000

[[writers]]
url = "https://172.22.xx.xx:17000/prometheus/v1/write"

basic_auth_user = ""

basic_auth_pass = ""

timeout = 5000
dial_timeout = 2500
max_idle_conns_per_host = 100

[http]
enable = false
address = ":9100"
print_access = false
run_mode = "release"

[ibex]
enable = false
interval = "1000ms"
servers = ["127.0.0.1:20090"]
meta_dir = "./meta"

[heartbeat]
enable = true

url = "https://172.22.xx.xx:17000/v1/n9e/heartbeat"

interval = 10

basic_auth_user = ""

basic_auth_pass = ""

use_tls = true
tls_min_version = "1.2"
tls_ca = "/data/certs/ca.crt"
tls_cert = "/data/certs/server.crt"
tls_key = "/data/certs/server.key"
insecure_skip_verify = true

timeout = 5000
dial_timeout = 2500
max_idle_conns_per_host = 100

[UlricQin]

tls 部分的配置只配置了 heartbeat 没有配置 writer，你把下面这部分拷贝到 [[writers]] 下面试试

use_tls = true
tls_min_version = "1.2"
tls_ca = "/data/certs/ca.crt"
tls_cert = "/data/certs/server.crt"
tls_key = "/data/certs/server.key"
insecure_skip_verify = true

[bboy-free]

按照这个配置在客户端配置后依然失败
[[writers]]
url = "https://172.22.xx.xx:17000/prometheus/v1/write"

basic_auth_user = ""

basic_auth_pass = ""

timeout = 5000
dial_timeout = 2500
max_idle_conns_per_host = 100
use_tls = true
tls_min_version = "1.2"
tls_ca = "/data/certs/ca.crt"
tls_cert = "/data/certs/server.crt"
tls_key = "/data/certs/server.key"
insecure_skip_verify = true

日志：
Apr 3 10:32:14 iZj6cht59ryg56qharln72Z categraf: 2025/04/03 10:32:14 writer.go:66: W! post to https://172.22.xx.xx:17000/prometheus/v1/write got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority

[UlricQin]

你的 server.crt 和 server.key，客户端和服务端用的是一样的？这俩部分应该不同

[bboy-free]

那我再试试 测试过nginx和下游服务 用的同一套是ok的

[bboy-free]

我更新了证书

client配置

[[writers]]
url = "https://172.22.xx.xx:17000/prometheus/v1/write"

basic_auth_user = ""

basic_auth_pass = ""

timeout = 5000
dial_timeout = 2500
max_idle_conns_per_host = 100
use_tls = true
tls_ca = "/data/certs/ca.crt"
tls_cert = "/data/certs/client.crt"
tls_key = "/data/certs/client.key"
insecure_skip_verify = true

server配置

MaxIdleConnsPerHost = 100
UseTLS = true
TLSCA = "/data/test_n9e_cert/ca.crt"
TLSCert = "/data/test_n9e_cert/server.crt"
TLSKey = "/data/test_n9e_cert/server.key"
InsecureSkipVerify = true

证书链验证正常：

openssl verify -CAfile /data/test_n9e_cert/ca.crt /data/test_n9e_cert/server.crt /data/test_n9e_cert/client.crt
/data/test_n9e_cert/server.crt: OK
/data/test_n9e_cert/client.crt: OK

依然报错：

Apr 16 10:16:52 iZj6cht59ryg56qharln72Z categraf: 2025/04/16 10:16:52 writer.go:96: W! push data with remote write request got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority response body:
Apr 16 10:16:52 iZj6cht59ryg56qharln72Z categraf: 2025/04/16 10:16:52 writer.go:66: W! post to https://172.22.xx.xx:17000/prometheus/v1/write got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority
Apr 16 10:16:52 iZj6cht59ryg56qharln72Z categraf: 2025/04/16 10:16:52 writer.go:66: W! post to https://172.22.xx.xx:17000/prometheus/v1/write got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority

能否提供一个配置TLS的最佳实践以供参考呢

[kongfei605]

client 只用配置 就行了

use_tls = true
insecure_skip_verify = true

[bboy-free]

TLS即可 但是

尝试了client只配置
use_tls = true
insecure_skip_verify = true

依然报错
Apr 16 14:45:45 iZj6cht59ryg56qharln72Z categraf: 2025/04/16 14:45:45 writer.go:66: W! post to https://172.22.xx.xx:17000/prometheus/v1/write got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority

[kongfei605]

TLS即可 但是

尝试了client只配置 use_tls = true insecure_skip_verify = true

依然报错 Apr 16 14:45:45 iZj6cht59ryg56qharln72Z categraf: 2025/04/16 14:45:45 writer.go:66: W! post to https://172.22.xx.xx:17000/prometheus/v1/write got error: Post "https://172.22.xx.xx:17000/prometheus/v1/write": x509: certificate signed by unknown authority

./categraf --version 看看

[bboy-free]

./categraf --version
v0.2.40-e04a550780857f5310d32d19a46fbc7ef97fbe6b

[kongfei605]

用最新版本的categraf试试呢？

./categraf --version v0.2.40-e04a550780857f5310d32d19a46fbc7ef97fbe6b