Skip to content

Add SSL to Prometheus Reverse Proxy

Video Lecture

Add SSL to Prometheus Reverse Proxy Add SSL to Prometheus Reverse Proxy

Description

We will now add transport encryption to the Prometheus web user interface.

Since I have already set up the domain name, I can get a free certificate using Certbot.

Certbot will install a LetsEncrypt SSL certificate for free.

Ensure your domain name has propagated before running CertBot.

Your domain and IP will be different from mine, and note that it may take some time for the DNS record to propagate across the internet.

On my server, I will run

sudo snap install core; sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot

Now we can run CertBot.

sudo certbot --nginx

Follow the prompts and select the domain name I want to secure.

Next open the Nginx Prometheus config file we created earlier to see the changes.

sudo nano /etc/nginx/sites-enabled/prometheus

Prometheus 2.31 and Ubuntu 22.04 Notes

At the time of writing this update message, the Certbot website didn't provide instructions for installing Certbot on Ubuntu 22.04 LTS.

You can use the instructions provided on the Certbot website in the dropdown for Ubuntu 20 instead.

There are several extra commands to run during the installation. I have updated the information above.

Note that Certbot will create a cron job or systemd timer to auto-renew your certificate when it is about to expire. The Certbot servers will externally poll your server using the domain name you've created the certificate for, and verify that it still resolves to the same IP address. This will make a request to your domain using port 80. If you are using a firewall on your server, and you have blocked port 80, then the auto-renewel will fail. You will need to manually renew and allow incoming traffic from port 80 temporarily so that the Cerbot sever, wherever they are on the internet, can access your servers address on port 80.

sudo certbot renew

Comments