Use let's encrypt certificates with the prometheus node exporter

Question

I'm trying to configure a prometheus node exporter with HTTPS using the website certificates generated by let's encrypt.

There is certificates with permissions default let's encrypt permission

But I have this error with node exporter service witch use the user 'node_exporter' : failed to load X509KeyPair: open /etc/letsencrypt/live/xxx/fullchain.pem

The unit service :

[Unit]
Description=Node Exporter
Wants=network-online.target
After=network-online.target

[Service]
User=node_exporter
Group=node_exporter
Type=simple
ExecStart=/opt/node_exporter/node_exporter --web.config.file=/opt/node_exporter/configuration.yml

[Install]
WantedBy=multi-user.target

has anyone already managed to use let's encrypt certificates to activate the node_exporter in HTTPS mode

Thank you in advance for help

Answer 1

Both the directry /etc/letsencrypt/archive containing the keys & the certificates and the directory /etc/letsencrypt/live containing the symbolic links to the current certificate & key are only readable by the user root (drwx------ root:root). The services that can use those certificates have a process running as the root that forks processes as an unprivileged user.

You could copy the certificate & key to somewhere the user node_exporter is able to read them from. It would be best to do this in the renewal post-hook to keep it up-to-date. Also ensure that Node Exporter is either able to reload the updated files or make it reload/restart after the certificate has been renewed.