PMM External Check - tls-skip-verify

[jhisc]

Description

pmm-admin --tls-skip-verify does not work as intended (or documented)

Despite the Debug logs showing that "tls_skip_verify":true when calling /v1/management/services a TLS Verify erorr is still returned.

Service is not added, despite this value being set.

Expected Results

Service would be added as an external HTTPS metric source

Actual Results

Error:

Connection check failed: Get "https://127.0.0.1:443/metrics": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs.

Version

# pmm-admin --version
ProjectName: pmm-admin
Version: 3.4.0
PMMVersion: 3.4.0
Timestamp: 2025-09-08 08:22:32 (UTC)
FullCommit: a836d65977de0f9fc25d7af6879509bc3583e2c3

Steps to reproduce

Execute:
pmm-admin add external --server-insecure-tls --listen-port=443 --scheme=https --tls-skip-verify --service-name=$(hostname)-extrernal --debug

Relevant logs

Debug Logs: (Abbreviated from simplicity).

pmm-admin add external --server-insecure-tls --listen-port=443 --scheme=https --tls-skip-verify --service-name=$(hostname)-monitor --debug
DEBUG 2025-09-25 12:15:25.9801918Z: POST /local/Status HTTP/1.1
Host: 127.0.0.1:7777
User-Agent: Go-http-client/1.1
Content-Length: 3
Accept: application/json
Content-Type: application/json
Accept-Encoding: gzip

{}

...

DEBUG 2025-09-25 12:15:25.983165329Z: POST /v1/management/services HTTP/1.1
Host: pmm3.us-logs-prod.azure.lnrsg.io:443
User-Agent: Go-http-client/1.1
Content-Length: 281
Accept: application/json
Authorization: Bearer glsa_a6I4oq2axuqguh7CzYR3PFF2qjGupzJG_f9709b49
Content-Type: application/json
Accept-Encoding: gzip

{"external":{"runs_on_node_id":"f3ca935b-122d-4f6a-8afd-9e5964c4f942","service_name":"bsweb-dev-eastus-rw-01-monitor","scheme":"https","listen_port":443,"node_id":"f3ca935b-122d-4f6a-8afd-9e5964c4f942","group":"external","metrics_mode":"METRICS_MODE_AUTO","tls_skip_verify":true}}



DEBUG 2025-09-25 12:15:26.027234729Z: HTTP/1.1 400 Bad Request
Content-Length: 436
Connection: keep-alive
Content-Type: application/json
Date: Thu, 25 Sep 2025 12:15:26 GMT
Strict-Transport-Security: max-age=31536000; includeSubDomains

{
  "error": "Connection check failed: Get \"https://127.0.0.1:443/metrics\": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs.",
  "code": 9,
  "message": "Connection check failed: Get \"https://127.0.0.1:443/metrics\": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs.",
  "details": []
}
DEBUG 2025-09-25 12:15:26.027296936Z: Result: <nil>                               
DEBUG 2025-09-25 12:15:26.027314088Z: Error: &management_service.AddServiceDefault{_statusCode:400, Payload:(*management_service.AddServiceDefaultBody)(0xc00047b6e0)}
Connection check failed: Get "https://127.0.0.1:443/metrics": tls: failed to verify certificate: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs.

Code of Conduct

• I agree to follow Percona Community Code of Conduct

[jankows2]

+1 I'm observing the exact same behaviour on our side for --tls-skip-verify

[cezzarich]

+1 more - Any updates here, we are also impacted by this bug.