left arrowBack
Anton Eyntrop

Anton Eyntrop

November 16, 2022 ・ Basics

How To Enable SSL For PMM Server

This article assumes you have already installed PMM on your machine.

Securing your web services by moving them to use HTTPS instead of plain HTTP is one of the best ways to make sure the exchange remains encrypted for all the parties involved in transporting data between the service and the client browser. Extra protection against man-in-the-middle (MITM) attacks is a welcome feature as well.

Your PMM instance is already secured with a self-signed certificate: you’d want to keep your credentials safe from eavesdropping. This is no help against MITM attacks, though, and not the best practice in general. To fully utilize HTTPS you will need to acquire a certificate issued by one of the global authority centers.

The process involves:

  • Creating a DNS record for your PMM instance to be accessed over the web

  • Obtaining an SSL/TLS certificate for the PMM instance

  • Installing the certificate and verifying the setup

  • (optionally) Hosting PMM behind a reverse proxy

We will use as an address we want our PMM to be available at, being a domain under our control.

Creating a DNS record for the PMM instance with the address you prefer

You would need a new “type A” record pointing to the IP address that publicly serves your PMM:


Make sure the record works as expected by opening in a browser.

Obtaining an SSL/TLS certificate for your PMM instance

In case you have a wildcard certificate for “*”, you can skip this step and move on to the next one.

Otherwise, we recommend using Let’s Encrypt — a service that issues SSL/TLS certificates for free.

The simplest way to use it is via a recommended tool named Certbot.

Certbot is provided as a drop-in Snap package (“snapd” daemon), supported by most Linux distributions, but there are alternatives available on the website.

Here’s how you proceed with Snap. Update it first:

sudo snap install core; sudo snap refresh core

Install Certbot package:

sudo snap install --classic certbot

Link new binary to a place inside your $PATH variable:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

You should have certbot command available to run in your terminal now. If you get “command not found” instead, restart your shell session by logging out.

Launch Certbot as a standalone Web server, temporarily binding it to TCP port 80. This will start the certificate acquistion:

sudo certbot certonly --standalone

You will be asked a number of questions on behalf of Let’s Encrypt. When the utility finishes its work, you will see a short summary.

Certificate is saved at: /etc/letsencrypt/live/
Key is saved at:         /etc/letsencrypt/live/
This certificate expires on 2023-01-28.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

We got our certificate, time to install it.

Installing the certificate and verifying the setup

Replace the default self-signed certificates inside Docker image with your own:

docker cp -L /etc/letsencrypt/live/ pmm-server:/srv/nginx/certificate.crt

docker cp -L /etc/letsencrypt/live/ pmm-server:/srv/nginx/ca-certs.pem

docker cp -L /etc/letsencrypt/live/ pmm-server:/srv/nginx/certificate.key

Restart Docker container:

docker restart pmm-server

Check your new certificate by opening If you were logged into PMM before, you might need to clear your browser cache or use incognito mode to immediately see the difference.

Hosting PMM behind a reverse proxy

There’s a number of things you have to keep in mind when setting up PMM behind a reverse proxy (such as NGINX). You will have to pass a number of HTTP headers and enable WebSocket support for the web interface to work properly.

NGINX configuration example that serves locally available PMM as a publicly accessible

http {

	# [...skipped...]

	# WebSocket handling for proxied connections
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;

	# [...skipped...]

	server {
		ssl_certificate /etc/letsencrypt/live/;
		ssl_certificate_key /etc/letsencrypt/live/;

		listen 443 ssl;

		location / {
			proxy_set_header Origin ;
			proxy_set_header Host   ;
			proxy_set_header Upgrade          $http_upgrade;
			proxy_set_header Connection       $connection_upgrade;
			proxy_set_header X-Real-IP        $remote_addr;
			proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
			proxy_pass              ;

In addition, your PMM instance might require gRPC communication with remote pmm-agents. Depending on your web server, this might not be possible.

  • Basics