Schedule a Consultation
Search
left arrowBack
Mykhailo Liepieshko

Mykhailo Liepieshko

January 16, 2023 ・ Basics

[SOLVED] PMM Server Installation Error – X509: Certificate Signed By Unknown Authority.

This error can occur when you try to connect pmm-agent to a pmm-server over a secure channel, but your server only has a self-signed certificate.

pmm-admin config --server-url=https://admin:PASSWORD@host:443 XXX.XXX.XXX.XXX generic my_pmm_client
Checking local pmm-agent status...
pmm-agent is running.
Registering pmm-agent on PMM Server...
Failed to register pmm-agent on PMM Server: Post "https://host:443/v1/management/Node/Register": x509: certificate signed by unknown authority.

So first of all you need to understand if it really needs to be secured, if it doesn’t you can just add the –server-insecure-tls key. For example, if the pmm server and pmm clients are on the same isolated network, it is not necessary to build a fully secure connection.

pmm-admin config--server-insecure-tls--server-url=https://admin:PASSWORD@host:443 XXX.XXX.XXX.XXX generic my_pmm_client

In other cases, a secure connection is preferred.

You need to create a DNS entry for the pmm server and make sure the client resolves it correctly.

Then you need to put the certificate, ca-chain and key into the docker container with the pmm server.

docker cp -L /tmp/cert.pem pmm-server:/srv/nginx/certificate.crt
docker cp -L /tmp/cert.ca pmm-server:/srv/nginx/ca-certs.pem
docker cp -L /tmp/cert.key pmm-server:/srv/nginx/certificate.key

After updating the certificate, you need to restart the container

docker restart pmm-server

And now agent should connect to server correctly.

pmm-admin config --server-url=https://admin:PASSWORD@host:443 XXX.XXX.XXX.XXX generic my_pmm_client
Checking local pmm-agent status...
pmm-agent is running.
Registering pmm-agent on PMM Server...
Registered.
Configuration file /usr/local/percona/pmm2/config/pmm-agent.yaml updated.
Reloading pmm-agent configuration...
Configuration reloaded.
Checking local pmm-agent status...
pmm-agent is running.

PS: You can use a Let’s Encrypt certificate for this.

If you still receive this kind of error

We found a bug with official pmm-client image. If certificates at server side is completely correct, but you still receive this error.

pmm-client  | INFO[2022-11-30T08:53:38.245+00:00] Loading configuration file /etc/pmm-agent.yaml.  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.246+00:00] Using /usr/local/percona/pmm2/exporters/node_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.247+00:00] Using /usr/local/percona/pmm2/exporters/mysqld_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.247+00:00] Using /usr/local/percona/pmm2/exporters/mongodb_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.247+00:00] Using /usr/local/percona/pmm2/exporters/postgres_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.247+00:00] Using /usr/local/percona/pmm2/exporters/proxysql_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.247+00:00] Using /usr/local/percona/pmm2/exporters/rds_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.247+00:00] Using /usr/local/percona/pmm2/exporters/azure_exporter  component=setup
pmm-client  | INFO[2022-11-30T08:53:38.248+00:00] Using /usr/local/percona/pmm2/exporters/vmagent  component=setup
pmm-client  | Checking local pmm-agent status...
pmm-client  | pmm-agent is not running.
pmm-client  | Registering pmm-agent on PMM Server...
pmm-client  | Failed to register pmm-agent on PMM Server: Post "https://host:443/v1/management/Node/Register": x509: certificate signed by unknown authority.
pmm-client exited with code 1

Probably it’s related to problem with certificates at pmm-client image . We reported this bug to Percona, so the problem will be resolved when they update official image.

So the workaround at this moment to avoid this issue with docker oriented install instruction is only to enable SEVER_INSECURE_TLS option:

PMM_SERVER=X.X.X.X:443
docker run \
--rm \
--name pmm-client \
-e PMM_AGENT_SERVER_ADDRESS=${PMM_SERVER} \
-e PMM_AGENT_SERVER_USERNAME=admin \
-e PMM_AGENT_SERVER_PASSWORD=admin \
-ePMM_AGENT_SERVER_INSECURE_TLS=1 \
-e PMM_AGENT_SETUP=1 \
-e PMM_AGENT_CONFIG_FILE=config/pmm-agent.yaml \
--volumes-from pmm-client-data \
percona/pmm-client:2
  • Basics
twitterTweetlinkedinSharefacebookShare