Use self-signed certificate with Node Exporter and Prometheus

Go where Node Exporter is installed:

cd /etc/node_exporter

Generate self-signed certificate and key in that directory:

openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 \
-keyout node_exporter.key -out node_exporter.crt \
-subj "/C=US/ST=California/L=Oakland/O=MyOrg/CN=localhost" \
-addext "subjectAltName = DNS:localhost"

Add to config.yml:

tls_server_config:
  cert_file: node_exporter.crt
  key_file: node_exporter.key

If config.yml wasn't previously present - you need to add this config to the Node Exporter systemd service file /etc/systemd/system/node_exporter.service:

...
EXecStart=/usr/local/bin/node_exporter --web.config.file=/etc/node_exporter/config.yml
...

And then daemon-reload and restart the service:

systemctl daemon-reload
systemctl restart node_exporter

Check the status and ourput of:

systemctl status node_exporter

You should have something like this:

TLS is enabled

Test. Because the certificate is self-signed, is not trusted by curl, so -k option should be passed:

curl -k https://localhost:9100/metrics

Next, copy node_exporter.crt to Prometheus server:

scp /etc/node_exporter/node_exporter.crt prometheus@domain.tld:/etc/prometheus/

And modify /etc/prometheus/prometheus.yml:

,,,
scrape_configs:
- job_name: "node"
  scheme: https
  tls_config:
    ca_file: /etc/prometheus/node_exporter.crt
    insecure_skip_verify: true # only needed for self signed certs
  static_configs:
  - targets: ["10.10.10.10:9100"]
...

Restart Prometheus:

systemctl restart prometheus

Open Prometheus GUI and check Status -> Targets, it should be UP and with https