Whichever way you installed Percona Monitoring and Management 2 (PMM2), using the docker image or an OVF image for your supported virtualized environment, PMM2 enables, by default, two ports for the web connections: 80 for HTTP and 443 for HTTPS. Using HTTPS certificates are requested for encrypting the connection for better security.
All the installation images contain self-signed certificates already configured, so every PMM2 deployment should work properly when using HTTPS.
This is cool, but sometimes self-signed certificates are not permitted, based on the security policy adopted by your company. If your company uses a Certification Authority to sign certificates and keys for encryption, most probably you are forced to use the files provided by the CA for all your services, even for PMM2 monitoring.
In this article, we’ll show how to use your custom certificates to enable HTTPS connections to PMM2, according to your security policy.
PMM2 Deployed as a Docker Image
If PMM Server is running as a Docker image, use docker cp to copy certificates. This example copies certificate files from the current working directory to a running PMM Server docker container.
1 2 3 4 | docker cp certificate.crt pmm-server:/srv/nginx/certificate.crt docker cp certificate.key pmm-server:/srv/nginx/certificate.key docker cp ca-certs.pem pmm-server:/srv/nginx/ca-certs.pem docker cp dhparam.pem pmm-server:/srv/nginx/dhparam.pem |
If you’re going to deploy the container, you can use the following to use your own certificates instead of the built-in ones. Let’s suppose your certificates are in /etc/pmm-certs:
1 2 3 | docker run -d -p 443:443 --volumes-from pmm-data \ --name pmm-server -v /etc/pmm-certs:/srv/nginx \ --restart always percona/pmm-server:2 |
- The certificates must be owned by root.
- The mounted certificate directory must contain the files
certificate.crt,certificate.key,ca-certs.pemanddhparam.pem. - For SSL encryption, the container must publish on port 443 instead of 80.
PMM2 Deployed Using a Virtual Appliance Image
In such cases, you need to connect to the virtual machine and replace the certificate files in /srv/nginx:
- connect to the virtual machine1$> ssh root@pmm2.mydomain.com
- place CA, certificate, and key files into the
/srv/nginxdirectory. The file must be namedcertificate.crt,certificate.key,ca-certs.pemanddhparam.pem - if you would like to use different file names you can modify the nginx configuration file
/etc/nginx/conf.d/pmm.conf. The following variables must be set:1234ssl_certificate /srv/nginx/my_custom_certificate.crt;ssl_certificate_key /srv/nginx/my_custom_certificate.key;ssl_trusted_certificate /srv/nginx/my_custom_ca_certs.pem;ssl_dhparam /srv/nginx/my_dhparam.pem - restart nginx1[root@pmm2]> supervisorctl restart nginx
Conclusion
Percona Monitoring and Management is widely used for monitoring MySQL, Proxysql, MongoDB, PostgreSQL, and OSes. Setting up customer certificates for the connection encryption, according to the security policy adopted by your company, is quite simple. You can rely on PMM2 for troubleshooting your environments in a secure way.
Take a look at the demo site: https://pmmdemo.percona.com
