Whichever way you installed Percona Monitoring and Management 2 (PMM2), using the docker image or an OVF image for your supported virtualized environment, PMM2 enables, by default, two ports for the web connections: 80 for HTTP and 443 for HTTPS. Using HTTPS certificates are requested for encrypting the connection for better security.
All the installation images contain self-signed certificates already configured, so every PMM2 deployment should work properly when using HTTPS.
This is cool, but sometimes self-signed certificates are not permitted, based on the security policy adopted by your company. If your company uses a Certification Authority to sign certificates and keys for encryption, most probably you are forced to use the files provided by the CA for all your services, even for PMM2 monitoring.
In this article, we’ll show how to use your custom certificates to enable HTTPS connections to PMM2, according to your security policy.
If PMM Server is running as a Docker image, use docker cp to copy certificates. This example copies certificate files from the current working directory to a running PMM Server docker container.
|
1 |
docker cp certificate.crt pmm-server:/srv/nginx/certificate.crt<br>docker cp certificate.key pmm-server:/srv/nginx/certificate.key<br>docker cp ca-certs.pem pmm-server:/srv/nginx/ca-certs.pem<br>docker cp dhparam.pem pmm-server:/srv/nginx/dhparam.pem |
If you’re going to deploy the container, you can use the following to use your own certificates instead of the built-in ones. Let’s suppose your certificates are in /etc/pmm-certs:
|
1 |
docker run -d -p 443:443 --volumes-from pmm-data <br> --name pmm-server -v /etc/pmm-certs:/srv/nginx <br> --restart always percona/pmm-server:2 |
certificate.crt, certificate.key, ca-certs.pem and dhparam.pem.
In such cases, you need to connect to the virtual machine and replace the certificate files in /srv/nginx:
|
1 |
$> ssh root@pmm2.mydomain.com |
/srv/nginx directory. The file must be named certificate.crt, certificate.key, ca-certs.pem and dhparam.pem
/etc/nginx/conf.d/pmm.conf. The following variables must be set:|
1 |
ssl_certificate /srv/nginx/my_custom_certificate.crt;<br>ssl_certificate_key /srv/nginx/my_custom_certificate.key;<br>ssl_trusted_certificate /srv/nginx/my_custom_ca_certs.pem;<br>ssl_dhparam /srv/nginx/my_dhparam.pem |
|
1 |
[root@pmm2]> supervisorctl restart nginx |
Percona Monitoring and Management is widely used for monitoring MySQL, Proxysql, MongoDB, PostgreSQL, and OSes. Setting up customer certificates for the connection encryption, according to the security policy adopted by your company, is quite simple. You can rely on PMM2 for troubleshooting your environments in a secure way.
Take a look at the demo site: https://pmmdemo.percona.com
Resources
RELATED POSTS
