alloy icon indicating copy to clipboard operation
alloy copied to clipboard

Published 20 hours ago verified publisher icon grafana

TLS version setting is not documented

Open duj4 opened this issue 1 year ago • 32 comments

What's wrong?

This is per a closed issue: https://github.com/grafana/agent/issues/4698

We installed GA 0.37.2 on Windows Server without changing any configuration, error posted in the log files like below: image

When I tried to curl the /metrics, it replied with error: image

When I used openssl to connect the server: image

Steps to reproduce

  1. Install GA 0.37.2 on Windows Server 2019
  2. Configure "windows_certificate_filter" with server and client enabled
  3. Start GA with https enaled
  4. curl server with

System information

Windows Server 2019

Software version

Grafana Agent 0.37.2

Configuration

server:
  log_level: debug
  http_tls_config: &tls_config
    windows_certificate_filter:
      server:
        system_store: LocalMachine
        store: My
        issuer_common_names:
          - "<common name>"
      client:
        issuer_common_names:
          - "<common name>"
  grpc_tls_config: *tls_config

Logs

No response

duj4 avatar Nov 07 '23 14:11 duj4

May I know where I could set the TLS version and how? As it stated that TLS version and cipher suites are not restricted in the release notes of 0.37.1.

duj4 avatar Nov 07 '23 14:11 duj4

Hi @mattdurham , could you please help check this one? Thanks.

duj4 avatar Nov 08 '23 02:11 duj4

Does it work, if you omit windows_certificate_filter.client

jkroepke avatar Nov 11 '23 07:11 jkroepke

@jkroepke no, the same error

duj4 avatar Nov 12 '23 03:11 duj4

What about

openssl s_client -connect localhost:12345 -tls1_2

jkroepke avatar Nov 12 '23 07:11 jkroepke

hi @jkroepke , I tried it on the windows server, please check the response: image

I exported the cert from windows certstore and tried again: image

duj4 avatar Nov 13 '23 01:11 duj4

And what happens, if you are using MS Edge?

Maybe RSA PSS certificates has some issue with go.

jkroepke avatar Nov 13 '23 08:11 jkroepke

Apologies was at kubecon, it is an undocumented set of values you can see them in the code here. https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L17 . Under http_tls_config you would have a min_version and max_version flag. Valid values are listed here https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L115

mattdurham avatar Nov 13 '23 15:11 mattdurham

If I recall correct you need a specific openssl to work with windows properly. I found it easier to import the certificates into firefox/chrome trust them and then hit the endpoints.

mattdurham avatar Nov 13 '23 15:11 mattdurham

hi @mattdurham , thanks for the reply.

Apologies was at kubecon, it is an undocumented set of values you can see them in the code here.

https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L17

. Under http_tls_config you would have a min_version and max_version flag. Valid values are listed here https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L115

Yes, I was using this config.

If I recall correct you need a specific openssl to work with windows properly. I found it easier to import the certificates into firefox/chrome trust them and then hit the endpoints.

The error posted when prometheus is trying to scrape it, not just from browser.

duj4 avatar Nov 14 '23 03:11 duj4

And what happens, if you are using MS Edge?

Maybe RSA PSS certificates has some issue with go.

I tried both Edge and Chrome, neither of them could be loaded, I am suspecting the code as well.

duj4 avatar Nov 14 '23 14:11 duj4

Apologies was at kubecon, it is an undocumented set of values you can see them in the code here.

https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L17

. Under http_tls_config you would have a min_version and max_version flag. Valid values are listed here https://github.com/grafana/agent/blob/c2c40f8a27abe71e35eedf440ab25ae44bf8a9ff/pkg/server/tls.go#L115

Hi @mattdurham , no matter I set what TLS version is, error like "last octet invalid" will post out.

duj4 avatar Nov 14 '23 15:11 duj4

You may need to limit your suites to the one the certificate is using. The windows certificate store doesnt let you investigate the certificate so its very possible the default cipher suites are not suitable. Are you exporting your keys with the full trust chain?

I documented how to setup from a developer perspective but likely good documentation to review. I generally find the windows certificate store and testing it is extremely particular about what it accepts.

mattdurham avatar Nov 14 '23 16:11 mattdurham

hi @mattdurham ,

Thanks for the doc, as the template is set up already by our security and which is widely used by other teams, I cannot modify it and here is the screenshot: certmanager_1

certmanager_2

And here is the config file we are using now: image

The cert had been imported to the Edge browser, but it is showing error as below: image

Any further thought would be much appreciated.

duj4 avatar Nov 15 '23 14:11 duj4

I wonder if its related to https://github.com/golang/go/issues/45990

mattdurham avatar Nov 15 '23 14:11 mattdurham

I wonder if its related to golang/go#45990

Yes, I checked this one as well but found it is almost one year ago, so :P

duj4 avatar Nov 15 '23 14:11 duj4

@mattdurham would like to test or try anything else if there is any, thanks

duj4 avatar Nov 16 '23 14:11 duj4

Its so hard to test, since its certificates and you cant really share that. Does it work if you dont use the certificate store but instead export them and reference them via files?

mattdurham avatar Nov 16 '23 14:11 mattdurham

Thanks @mattdurham , I tried it that way and which looks good:

config file snippet with TLS specified: image

able to access the metrics/windows_exporter endpoint: image

image

duj4 avatar Nov 17 '23 02:11 duj4

hi @mattdurham , may I know if there is any update on this issue?

duj4 avatar Dec 07 '23 14:12 duj4

No I cant recreate. So mostly at a dead end on my side. If its possible to share the certificates or dummy generated ones maybe I could dig into it from that angle.

mattdurham avatar Dec 11 '23 17:12 mattdurham

@mattdurham sure, how could I send it to you? Though it is a test one, I would like to send it in a safe way, an email would be better.

duj4 avatar Dec 12 '23 01:12 duj4

Community slack channel is likely the best way, mattd there

mattdurham avatar Dec 12 '23 19:12 mattdurham

Thanks @mattdurham , have sent the cert and key to ya via slack channel

duj4 avatar Dec 13 '23 02:12 duj4

This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it. If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue. The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity. Thank you for your contributions!

github-actions[bot] avatar Jan 13 '24 00:01 github-actions[bot]

Hi All, Is there any update on this issue? We are rolling out Grafana Agent to windows servers in production environment and this is becoming an blocker for now. Appreciate if there is any further help.

duj4 avatar Feb 21 '24 11:02 duj4

We have tried 0.39.2, issue still persisted.

duj4 avatar Feb 22 '24 01:02 duj4

Thanks @mattdurham for the great help, the modified version (https://github.com/mattdurham/agent/releases/tag/cerstore2) fixed the cert store issue, but there is some limitation, here is the workable config: image

If we set tls version to 1.3, even it is a max one, the connection will be broken: image image image

Besides, though I set the cipher_suites in the config (), when I tried to connect it with another cipher, the connection is still set up: image

The windows server we are running on is 2019, it does support TLS1.2 only, but how about the cipher suites? I think Grafana Agent should only support the connection with the listed ones but deny the connection with others.

Please help on this one.

Thanks.

duj4 avatar Mar 06 '24 03:03 duj4

Hi there :wave:

On April 9, 2024, Grafana Labs announced Grafana Alloy, the spirital successor to Grafana Agent and the final form of Grafana Agent flow mode. As a result, Grafana Agent has been deprecated and will only be receiving bug and security fixes until its end-of-life around November 1, 2025.

To make things easier for maintainers, we're in the process of migrating all issues tagged variant/flow to the Grafana Alloy repository to have a single home for tracking issues. This issue is likely something we'll want to address in both Grafana Alloy and Grafana Agent, so just because it's being moved doesn't mean we won't address the issue in Grafana Agent :)

rfratto avatar Apr 11 '24 20:04 rfratto

@rfratto @mattdurham the TLS cipher issue is still pending for resolution, may I have any update on this? The deadline from our security team is around July 14th.

duj4 avatar Apr 29 '24 09:04 duj4