prometheus/blackbox_exporter

unknown cipher: TLS_RSA_WITH_AES_128_CBC_SHA

wcollin opened this issue · 1 comments

wcollin commented

Host operating system: centos9 arm64

blackbox_exporter version: v0.25.0

What is the prometheus.yml scrape config.

  • job_name: 'blackbox-exporter'
    scheme: 'https'
    tls_config:
    ca_file: /etc/prometheus/certs/ca.crt
    cert_file: /etc/prometheus/certs/server.crt
    key_file: /etc/prometheus/certs/server.key
    insecure_skip_verify: true
    static_configs:
    • targets: ['blackbox-exporter:9115']

web-config.yml

tls_server_config:
cert_file: /etc/prometheus/certs/server.crt
key_file: /etc/prometheus/certs/server.key
cipher_suites:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256

http_server_config:
http2: false
headers:
Content-Security-Policy: "default-src 'self' 'unsafe-inline'; img-src 'self' data:;"
X-Frame-Options: "sameorigin"
X-Content-Type-Options: "nosniff"
X-XSS-Protection: "1; mode=block"
Strict-Transport-Security: "max-age=31536000; includeSubDomains; preload"

Error:

ts=2024-04-15T06:12:05.533Z caller=main.go:87 level=info msg="Starting blackbox_exporter" version="(version=0.25.0, branch=HEAD, revision=ef3ff4fef195333fb8ee0039fb487b2f5007908f)"
ts=2024-04-15T06:12:05.533Z caller=main.go:88 level=info build_context="(go=go1.22.2, platform=linux/arm64, user=root@9b6755681f2e, date=20240409-12:52:48, tags=unknown)"
ts=2024-04-15T06:12:05.534Z caller=main.go:100 level=info msg="Loaded config file"
ts=2024-04-15T06:12:05.534Z caller=tls_config.go:313 level=info msg="Listening on" address=[::]:9115
ts=2024-04-15T06:12:05.534Z caller=main.go:274 level=error msg="Error starting HTTP server" err="unknown cipher: TLS_RSA_WITH_AES_128_CBC_SHA"

SuperQ commented

That is no longer a supported cipher due to insecurity.

It appears you are just listing all ciphers, it would be easier if you simply removed all of them from your configuration.