Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support self-signed certificate on outputs #29229

Merged
merged 7 commits into from
Dec 6, 2021

Conversation

belimawr
Copy link
Contributor

@belimawr belimawr commented Dec 1, 2021

What does this PR do?

Adds ssl.ca_trusted_fingerprint option, if set to a HEX fingerprint of a root CA certificate, this certificate is added to
the trusted CAs (as if it was defined on ssl.certificate_authorities), then the SSL validation continues as normal.

This happens during the SSL handshake.

Why is it important?

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
    - [ ] I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Author's Checklist

  • Make sure the UX is correct

How to test this PR locally

  1. Run an Elasticsearch 8.0 Instance with self signed certs
  2. Edit the Elasticsearch output configuration from your beat:
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://<your IP address>:9200"]

  username: "elastic"
  password: "<your elastic use password>"
  ssl.ca_trusted_fingerprint: "<ES CA certificate fingerprint>"
  1. Run your Beat

Related issues

@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Dec 1, 2021
@mergify
Copy link
Contributor

mergify bot commented Dec 1, 2021

This pull request does not have a backport label. Could you fix it @belimawr? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-v./d./d./d is the label to automatically backport to the 7./d branch. /d is the digit

NOTE: backport-skip has been added to this pull request.

@mergify mergify bot added the backport-skip Skip notification from the automated backport with mergify label Dec 1, 2021
@elasticmachine
Copy link
Collaborator

elasticmachine commented Dec 1, 2021

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS
Pipeline View Test View Changes Artifacts preview preview

Expand to view the summary

Build stats

  • Start Time: 2021-12-06T16:53:37.967+0000

  • Duration: 134 min 1 sec

  • Commit: ddc700a

Test stats 🧪

Test Results
Failed 0
Passed 48589
Skipped 4276
Total 52865

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

To re-run your PR in the CI, just comment with:

  • /test : Re-trigger the build.

  • /package : Generate the packages and run the E2E tests.

  • /beats-tester : Run the installation tests with beats-tester.

  • run elasticsearch-ci/docs : Re-trigger the docs validation. (use unformatted text in the comment!)

@belimawr belimawr force-pushed the ca_sha256-option branch 2 times, most recently from 4a0a2e7 to 5ec967d Compare December 1, 2021 19:24
@belimawr belimawr changed the title wip [WIP] Support ES self-signed certificate fingerprint Dec 3, 2021
@belimawr belimawr added backport-v8.0.0 Automated backport with mergify Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team labels Dec 3, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/elastic-agent-data-plane (Team:Elastic-Agent-Data-Plane)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Dec 3, 2021
@mergify mergify bot removed the backport-skip Skip notification from the automated backport with mergify label Dec 3, 2021
@belimawr belimawr requested review from a team as code owners December 6, 2021 11:40
@belimawr belimawr changed the title [WIP] Support ES self-signed certificate fingerprint Support self-signed certificate on outputs Dec 6, 2021
@kvch
Copy link
Contributor

kvch commented Dec 6, 2021

Please add the new option to the documentation, too: https://github.com/elastic/beats/tree/master/libbeat/docs/shared-ssl-config.asciidoc

@mergify
Copy link
Contributor

mergify bot commented Dec 6, 2021

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b ca_sha256-option upstream/ca_sha256-option
git merge upstream/master
git push upstream ca_sha256-option

@belimawr belimawr requested a review from kvch December 6, 2021 12:59
@belimawr belimawr added the review label Dec 6, 2021
Add a new verification mode to accept ES's self signed certificate.
Verify the fingerprint of the root CA and use it as a trusted CA to do
the normal TLS verification.
When `ssl.es_ca_fingerprint` is set, look for the certificate matching
the fingerprint, validate it's a CA and then add to the list of
trusted CAs. Also pin it.
@belimawr
Copy link
Contributor Author

belimawr commented Dec 6, 2021

rebased onto master, force push.

@belimawr belimawr requested a review from kvch December 6, 2021 16:54
@belimawr belimawr merged commit 191a075 into elastic:master Dec 6, 2021
@belimawr belimawr deleted the ca_sha256-option branch December 6, 2021 19:15
mergify bot pushed a commit that referenced this pull request Dec 6, 2021
Adds ssl.ca_trusted_fingerprint option, if set to the HEX fingerprint of a root CA certificate, this certificate is added to
the trusted CAs (as if it was defined on ssl.certificate_authorities), then the SSL validation continues as normal.

This happens during the SSL handshake.

(cherry picked from commit 191a075)
andrewkroh pushed a commit that referenced this pull request Dec 7, 2021
…9301)

* Support self-signed certificate on outputs (#29229)

Adds ssl.ca_trusted_fingerprint option, if set to the HEX fingerprint of a root CA certificate, this certificate is added to
the trusted CAs (as if it was defined on ssl.certificate_authorities), then the SSL validation continues as normal.

This happens during the SSL handshake.

(cherry picked from commit 191a075)

Co-authored-by: Tiago Queiroz <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport-v8.0.0 Automated backport with mergify enhancement libbeat review Team:Elastic-Agent-Data-Plane Label for the Agent Data Plane team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants