Hello,
I’m trying to scrape metrics using https and I’m getting the following error from prometheus server.
level=debug ts=2021-06-21T18:25:38.939Z caller=scrape.go:1137
component="scrape manager" scrape_pool=my-kubernetes-pods
target=https://1.2.3.4:3000/metrics msg="Scrape failed"
err="Get \"https://1.2.3.4:3000/metrics\": x509:
cannot validate certificate for 1.2.3.4 because it doesn't contain any IP SANs"
I checked, and indeed the certificate (issued by istio) has a blank Subject. However, the SAN is set as follows.
X509v3 Subject Alternative Name: critical
URI:spiffe://cluster.local/ns/observability/sa/prometheus-server
I tried setting tls_config.server_name and got a new error from prometheus. (Setting server_name to “cluster.local” also failed in the same way.)
level=debug ts=2021-06-21T18:53:08.939Z caller=scrape.go:1137
component="scrape manager" scrape_pool=my-kubernetes-pods
target=https://1.2.3.4:3000/metrics msg="Scrape failed"
err="Get \"https://1.2.3.4:3000/metrics\": x509:
certificate is not valid for any names, but wanted to match URI:spiffe://cluster.local/ns/observability/sa/prometheus-server"
Is it the case that prometheus either ignores the SAN entirely, or otherwise requires certs to have a non-empty Subject?
Thanks in advance for your help!
Jeffrey