Skip to content

Panic when using TLS configuration (Go 1.7.4)#15

Merged
christiangalsterer merged 3 commits intochristiangalsterer:masterfrom
MarkSonghurst:master
Jan 11, 2017
Merged

Panic when using TLS configuration (Go 1.7.4)#15
christiangalsterer merged 3 commits intochristiangalsterer:masterfrom
MarkSonghurst:master

Conversation

@MarkSonghurst
Copy link
Contributor

@MarkSonghurst MarkSonghurst commented Jan 11, 2017

I would get a panic if I attempted to use any TLS related configuration when building httpbeats on Go 1.7.4
I'm slightly unsure how the function poller.go convertTLSConfig() could have ever worked, maybe something got tightened up in Go 1.7.4

@christiangalsterer
Copy link
Owner

christiangalsterer commented Jan 11, 2017

Thanks for the contribution. Will look into it the next days/weekend.

@christiangalsterer christiangalsterer merged commit 71d259e into christiangalsterer:master Jan 11, 2017
@MarkSonghurst
Copy link
Contributor Author

MarkSonghurst commented Jan 12, 2017
edited
Loading

Can we get a new release/build please?
Having the prebuilt RPM is great - thanks.

@christiangalsterer
Copy link
Owner

christiangalsterer commented Jan 12, 2017

I will look into another item #14 on the weekend and depending on the outcome I will cut a release on the weekend.

@Mrc0113
Copy link

Mrc0113 commented Jan 12, 2017

@MarkSonghurst Can you share the ssl config that worked for you with your updates?

@MarkSonghurst
Copy link
Contributor Author

MarkSonghurst commented Jan 12, 2017 

httpbeat:
  # Httpbeat configuration for API hosts.
  urls:
    -
      cron: "@every 10s"
      url: https://localhost:8080/metrics
      method: get
      document_type: httpbeat_api_metrics
      output_format: json
      headers:
        Accept: application/json
      ssl:
        certificate_authorities: ["/etc/pki/tls/certs/logstash-ca.crt"]
        verification_mode: none
    -
      cron: "@every 5s"
      url: https://localhost:8080/alerts
      method: get
      document_type: httpbeat_api_alerts
      output_format: json
      headers:
        Accept: application/json
      ssl:
        certificate_authorities: ["/etc/pki/tls/certs/logstash-ca.crt"]
        verification_mode: none

@MarkSonghurst
Copy link
Contributor Author

MarkSonghurst commented Jan 12, 2017

For logstash

#----------------------------- Logstash output --------------------------------
output.logstash:
  # Boolean flag to enable or disable the output module.
  enabled: true  

  # Number of workers per Logstash host.
  worker: 1  

  # Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
  ssl.enabled: true

  # Configure SSL verification mode. If `none` is configured, all server hosts
  # and certificates will be accepted. In this mode, SSL based connections are
  # susceptible to man-in-the-middle attacks. Use only for testing. Default is
  # `full`.
  ssl.verification_mode: none

  # The Logstash hosts
  hosts: ["monitoring.equineregister.co.uk:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  certificate_authorities: ["/etc/pki/tls/certs/logstash-ca.crt"]

  # Certificate for TLS client authentication
  certificate: "/etc/pki/tls/certs/logstash-forwarder.crt"

  # Client Certificate Key
  certificate_key: "/etc/pki/tls/private/logstash-forwarder.key"

@MarkSonghurst
Copy link
Contributor Author

MarkSonghurst commented Jan 12, 2017
edited
Loading

Without my PR I would get an immediate Go panic when the SSL config was loaded, and httpbeat would terminate. I'm really surprised the guys in #14 are not seeing that also.

Anyway, once I fixed the panic, I had some error messages on STDOUT about an invalid cert which led me to use both the verification_mode: none and certificate_authorities settings.
I suspect that will solve #14 - however both might not be needed. YMMV.

Incidently, the comment in the logstash section:
# Enable SSL support. SSL is automatically enabled, if any SSL setting is set.
I found to be untrue. I had to specifically set ssl.enabled: true to make SSL work against logstash.

@MarkSonghurst MarkSonghurst mentioned this pull request Jan 12, 2017
Closed
@Mrc0113
Copy link

Mrc0113 commented Jan 12, 2017
edited
Loading

Thanks - I can set those properties yet they don't work for me. My suspicion is that the "verification_mode" property doesn't work properly as I can curl the endpoint with the --insecure option which is supposed to be the equivalent of "verification_mode: none" but httpbeat seems to still try to verify the hostname against the common name in the certificate.

Unfortunately the system I am trying to call is creating a self signed certificate that does not have the proper host name...

@christiangalsterer christiangalsterer added this to the 3.2.0 milestone Jan 14, 2017
@christiangalsterer
Copy link
Owner

christiangalsterer commented Jan 14, 2017

Release 3.2.0 now available

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@MarkSonghurst @christiangalsterer @Mrc0113