Go where Node Exporter is installed:
cd /etc/node_exporter
Generate self-signed certificate and key in that directory:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-keyout node_exporter.key -out node_exporter.crt \
-subj "/C=US/ST=California/L=Oakland/O=MyOrg/CN=localhost" \
-addext "subjectAltName = DNS:localhost"
Add to config.yml:
tls_server_config:
cert_file: node_exporter.crt
key_file: node_exporter.key
If config.yml wasn't previously present - you need to add this config to the Node Exporter systemd service file /etc/systemd/system/node_exporter.service:
...
EXecStart=/usr/local/bin/node_exporter --web.config.file=/etc/node_exporter/config.yml
...
And then daemon-reload and restart the service:
systemctl daemon-reload
systemctl restart node_exporter
Check the status and ourput of:
systemctl status node_exporter
You should have something like this:
TLS is enabled
Test. Because the certificate is self-signed, is not trusted by curl, so -k option should be passed:
curl -k https://localhost:9100/metrics
Next, copy node_exporter.crt to Prometheus server:
scp /etc/node_exporter/node_exporter.crt prometheus@domain.tld:/etc/prometheus/
And modify /etc/prometheus/prometheus.yml:
,,,
scrape_configs:
- job_name: "node"
scheme: https
tls_config:
ca_file: /etc/prometheus/node_exporter.crt
insecure_skip_verify: true # only needed for self signed certs
static_configs:
- targets: ["10.10.10.10:9100"]
...
Restart Prometheus:
systemctl restart prometheus
Open Prometheus GUI and check Status -> Targets, it should be UP and with https