Prometheus: Add TLS encryption to Prometheus Node Exporter
This documentation is part of the Retrieving metrics from Linux guide. View the full guide here: How to retrieve Linux server metrics in Prometheus using Node Exporter.
👋 Welcome to the Stackhero documentation!
Stackhero offers a ready-to-use Prometheus cloud solution that provides a host of benefits, including:
Alert Managerincluded to send alerts toSlack,Mattermost,PagerDuty, etc.- Dedicated email server to send unlimited email alerts.
Blackboxto probeHTTP,ICMP,TCP, and more.- Easy configuration with online configuration file editor.
- Effortless updates with just a click.
- Optimal performance and robust security powered by a private and dedicated VM.
Save time and simplify your life: it only takes 5 minutes to try Stackhero's Prometheus cloud hosting solution!
By default, Node Exporter does not encrypt communications. This means that credentials, including the previously defined password, are transmitted in plain text. To secure communications, you can enable TLS encryption as follows.
Creating TLS certificates
Run the following commands to create a TLS certificate and key:
# Create TLS certificate
cd /tmp
sudo openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
-keyout /etc/prometheus_node_exporter/tlsCertificate.key \
-out /etc/prometheus_node_exporter/tlsCertificate.crt \
-subj "/CN=`hostname`" \
-addext "subjectAltName = DNS:`hostname`"
sudo chmod 600 /etc/prometheus_node_exporter/*
sudo chown -R node_exporter:node_exporter /etc/prometheus_node_exporter
Updating the configuration
Append the following lines to the configuration file to add TLS settings and then restart Node Exporter:
sudo cat << 'EOF' >> /etc/prometheus_node_exporter/configuration.yml
tls_server_config:
cert_file: /etc/prometheus_node_exporter/tlsCertificate.crt
key_file: /etc/prometheus_node_exporter/tlsCertificate.key
EOF
# Restart Prometheus Node Exporter
sudo systemctl restart node_exporter
You can verify that TLS is active by connecting via HTTPS with the following command:
curl -k -u prometheus:${password} https://localhost:9100/metrics
Note that this method does not use a CA certificate, so you need to pass the "-k" option to cURL to bypass certificate verification.