Hi,
I set up Telegraf to check the validity of my certificates. That worked for a while (almost 2 years) but a few months ago this stopped working. Now I have some time to investigate.
I’m running telegraf “Telegraf 1.26.3 (git: HEAD@90f4eb29)” on a ubuntu 20.04LTS server. The certificate is a SAN/multi-domain certificate from Let’s Encrypt.
Telegraf logs this :
2023-06-08T14:42:50Z D! [inputs.x509_cert] Invalid certificate 4001772137d4e942b8ee76aa3c640ab7
2023-06-08T14:42:50Z D! [inputs.x509_cert] cert DNS names: []
2023-06-08T14:42:50Z D! [inputs.x509_cert] cert IP addresses: []
2023-06-08T14:42:50Z D! [inputs.x509_cert] cert subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
2023-06-08T14:42:50Z D! [inputs.x509_cert] cert issuer: CN=DST Root CA X3,O=Digital Signature Trust Co.
2023-06-08T14:42:50Z D! [inputs.x509_cert] opts.DNSName:
2023-06-08T14:42:50Z D! [inputs.x509_cert] verify options: { 0xc002a45f80 <nil> 0001-01-01 00:00:00 +0000 UTC [0] 0}
2023-06-08T14:42:50Z D! [inputs.x509_cert] verify error: x509: certificate signed by unknown authority
2023-06-08T14:42:50Z D! [inputs.x509_cert] tlsCfg.ServerName:
2023-06-08T14:42:50Z D! [inputs.x509_cert] ServerName:
I tried with an LE-certificate with a single domain in it and that seems OK. Tried with google and that’s OK also.
I was running a previous version of telegraf and there was a similar error. That’s why I upgraded.
There are a few differences though. With that version I got valid dns-names.
Any suggestions how to debug this further, or a solution ?
Thanks.
Are you certain the cert didn’t expire? See this blog post from let’s encrypt, given the cert issure does it apply to you?
Anytime someone says something is working and then just stops the next question is: what changed?
certificate signed by unknown authority
This usually means you do not have the cert to verify the authority on your system.
I was running a previous version of telegraf and there was a similar error. That’s why I upgraded.
There are a few differences though. With that version I got valid dns-names.
Yes newer versions of Telegraf may come with new features. As you are seeing the dns names is something newer versions have.
I’m not sure, but around the time things broke, the certs were renewed, but also telegraf was updated.
The certs are (AFAIK) valid :
certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: mailbox.de-brouwerij.be
Domains: cloudlaarne.de-brouwerij.be genea.de-brouwerij.be logo.de-brouwerij.be mailbox.de-brouwerij.be
Expiry Date: 2023-08-28 20:47:14+00:00 (VALID: 81 days)
Certificate Path: /etc/letsencrypt/live/mailbox.de-brouwerij.be/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mailbox.de-brouwerij.be/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
What do you mean with
Do I need to import some cert ? I don’t remember doing this before.
This is why I linked to that post above. You certificate is signed with the DST Root CA X3 CA. That CA is now expired. Updates to your OS may have removed that certificate from your system’s certificate store. Therefore, when telegraf tries to verify the certificate it cannot find the authority cert.
I would see if that certificate is on your system first. If not, that is clearly why you are getting an unknown authority error.
When the certs are updated by certbot, I would expect them to be signed with the latest keys. So I don’t know where that X3 comes from.
But then again, when I verify the cert with my browser, all is fine, no complaints.
I used SSL Checker - Check SSL Certificate and that checks OK.
Also https://www.digicert.com/help/ checks OK.
So why does telegraf complain, while others don’t ?
In the post you link to, they say :
What should you do? For most people, nothing at all! We’ve set up our certificate issuance so your web site will do the right thing in most cases, favoring broad compatibility.
So what’s happening ? Am I doing something special without me knowning it ?
I’ve already answered this by telling you to go look and ensure your system, not some online tool, includes the DST Root CA X3 CA.
