Add SSL to Prometheus Reverse Proxy
Video Lecture
Description
We will now add transport encryption to the Prometheus web user interface.
Since I have already set up the domain name, I can get a free certificate using Certbot.
Certbot will install a LetsEncrypt SSL certificate for free.
Ensure your domain name has propagated before running CertBot.
Your domain and IP will be different from mine, and note that it may take some time for the DNS record to propagate across the internet.
On my server, I will run
sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Now we can run CertBot.
sudo certbot --nginx
Follow the prompts and select the domain name I want to secure.
Next open the Nginx Prometheus config file we created earlier to see the changes.
sudo nano /etc/nginx/sites-enabled/prometheus
Prometheus 2.31 and Ubuntu 22.04 Notes
At the time of writing this update message, the Certbot website didn't provide instructions for installing Certbot on Ubuntu 22.04 LTS.
You can use the instructions provided on the Certbot website in the dropdown for Ubuntu 20 instead.
There are several extra commands to run during the installation. I have updated the information above.
Note that Certbot will create a cron job or systemd timer to auto-renew your certificate when it is about to expire. The Certbot servers will externally poll your server using the domain name you've created the certificate for, and verify that it still resolves to the same IP address. This will make a request to your domain using port 80. If you are using a firewall on your server, and you have blocked port 80, then the auto-renewel will fail. You will need to manually renew and allow incoming traffic from port 80 temporarily so that the Cerbot sever, wherever they are on the internet, can access your servers address on port 80.
sudo certbot renew