As of 1.0, the node exporter has experimental support for TLS. This can be hooked up to Letsencrypt.

The TLS feature of the node exporter doesn't have any in-built support for Letsencrypt or any other way to renew certificates itself. Instead what it does is that if the certificate files change on disk then it will automatically start using them. Thus by using certbot to automatically renew your certificates, the node exporter can use Letsencrypt certs. I'll now demonstrate.

Firstly certbot needs to be installed. I happen to be on an Ubuntu machine, so the instructions are:

apt-get update
apt-get install software-properties-common
add-apt-repository universe
add-apt-repository ppa:certbot/certbot
apt-get update
apt-get install certbot

You can find the instructions for your setup on the certbot website. Then we need to setup our certificates by running:

certbot certonly --webroot

If you already have a server running on port 80, you'll need to use --standalone instead and tell certbot where it is serving off on the filesystem. In either case, certbot will ask for the domain name of the server, which you will need to have already setup in DNS.

If that all works you will get output including:

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:


Now we can download, setup, and run the node exporter, adjusting the domain as needed:
tar -xzf node_exporter*.tar.gz
cd node_exporter*amd64
cat <<EOF > web_config.yml
  cert_file: /etc/letsencrypt/live/$DOMAIN/fullchain.pem
  key_file: /etc/letsencrypt/live/$DOMAIN/privkey.pem
./node_exporter --web.config web_config.yml

If you visit https://$DOMAIN:9100 you should be able to access the node exporter over TLS. Don't forget that when scraping with Prometheus that you'll need to specify scheme: https.

The Ubuntu packages will have setup a cronjob to automatically renew your certificates, so there's no need for you to do so yourself. Adding some monitoring may not be the worst of ideas though.


Need help securing Prometheus? Contact us.