[BUG] Cannot run `healthcheck` with `wget` for `postgres-exporter` when running with TLS

[pasquale95]

Bug description

Hi,
I open this bug as sibling of the very same bug I opened for node-exporter (prometheus/node_exporter#3496).

As stated also there, I'm trying to run a Postgres Exporter server with TLS using prometheuscommunity/postgres-exporter:latest.
postgres-exporter works just fine with TLS passing the necessary configuration through the --web.config.file option. The problem is instead setting the healthcheck command, where I use wget.

Unfortunately the image uses a Busybox version (busybox:1.36.1) which is well-known to have a faulty wget, which doesn't implement TLS verification correctly (see docker-library/busybox#162).
The result is that the healthcheck command:

# postgres_exporter runs on port 2110
wget -q --spider --no-check-certificate https://localhost:2110/metrics

fails with the message:

wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

This error has been solved with busybox:1.37. So, I would encourage to update quay.io/prometheus/busybox-${OS}-${ARCH}:latest to use this version and provide a newer prometheuscommunity/postgres-exporter:latest image.

What did you do?

Tried to run Postgres Exporter with TLS and set a valid healthcheck command.

What did you expect to see?

The healthcheck run with wget -q --spider --no-check-certificate https://localhost:9116/metrics to succeed.

What did you see instead? Under which circumstances?

The healthcheck command fails:

wget: TLS error from peer (alert code 40): handshake failure
wget: error getting response: Connection reset by peer

Environment

• System information:

uname -srm
Linux 5.14.0-611.7.1.el9_7.x86_64 x86_64

• postgres_exporter version:

/ # postgres_exporter --version
postgres_exporter, version 0.18.1 (branch: HEAD, revision: 320b684f3dcd3f09b6e694e43f9b389b1a8199e5)
  build user:       root@83cf77f7d3ab
  build date:       20250929-17:16:35
  go version:       go1.24.7
  platform:         linux/amd64
  tags:             unknown

• postgres_exporter flags:

--web.listen-address=:2110,
--config.file=/var/config/postgres_exporter.yaml
--web.config.file=/var/config/web-config.yaml

• Logs:

2025/12/02 11:00:37 http: TLS handshake error from 127.0.0.1:41508: tls: invalid ClientKeyExchange message

[weidongkl]

I tested the wget command in quay.io/prometheus/busybox-linux-amd64:latest and it works fine. The issue exists with the wget in the prometheuscommunity/postgres-exporter:latest . This might be caused by Docker using cached images during the build process.

[weidongkl]

Perhaps the docker build command in the Makefile should use the --no-cache and --pull flags.