I’m using a ECDSA CA for my setup and issue ed25519 certificates for internal TLS endpoints. My CA has these specs:
Signature Algorithm: ecdsa-with-SHA512
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
ASN1 OID: brainpoolP384r1
Unfortunately, I couldn’t make TLS work between my node exporters and the prometheus server. The server cannot even load the CA:
caller=manager.go:188 component="scrape manager" msg="error creating new scrape pool" err="error creating HTTP client: unable to use specified CA cert /etc/prometheus/ca.crt" scrape_pool=qa-metrics-1
I guessed that’s due to missing elliptic curve support in the underlying client/runtime, as I’ve seen it before in some java applications. So I temporarily added a RSA CA to my PKI and replaced the certificates on the node exporters and made the prometheus server load the RSA CA with the result that everything works as expected.
Is EC PKI supposed to be working for prometheus? Can I make it work with appropriate configuration? I’m using the official docker container prom/prometheus.