Prometheus: Add TLS encryption to Prometheus Node Exporter

This documentation is part of the Retrieving metrics from Linux guide. You can view the complete guide here: How to retrieve Linux server metrics in Prometheus using Node Exporter.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Prometheus cloud solution that provides numerous benefits, including:

  • Alert Manager included to send alerts to Slack, Mattermost, PagerDuty, etc.
  • Dedicated email server to send unlimited email alerts.
  • Blackbox to probe HTTP, ICMP, TCP, and more.
  • Easy configuration with an online configuration file editor.
  • Effortless updates with just a click.
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Prometheus cloud hosting solution!

By default, Node Exporter does not encrypt communications. This means that credentials, including the previously defined password, are transmitted in plain text. To secure communications, you can enable TLS encryption as follows.

Run the following commands to create a TLS certificate and key:

# Create TLS certificate
cd /tmp
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
  -keyout /etc/prometheus_node_exporter/tlsCertificate.key \
  -out /etc/prometheus_node_exporter/tlsCertificate.crt \
  -subj "/CN=`hostname`" \
  -addext "subjectAltName = DNS:`hostname`"
sudo chmod 600 /etc/prometheus_node_exporter/*
sudo chown -R node_exporter:node_exporter /etc/prometheus_node_exporter

Append the following lines to the configuration file to add TLS settings and then restart Node Exporter:

sudo cat << 'EOF' >> /etc/prometheus_node_exporter/configuration.yml
tls_server_config:
  cert_file: /etc/prometheus_node_exporter/tlsCertificate.crt
  key_file: /etc/prometheus_node_exporter/tlsCertificate.key

EOF

# Restart Prometheus Node Exporter
sudo systemctl restart node_exporter

You can verify that TLS is active by connecting via HTTPS with the following command:

curl -k -u prometheus:${password} https://localhost:9100/metrics

Note that this method does not use a CA certificate, so you need to pass the "-k" option to cURL to bypass certificate verification.