elasticsearch-exporter-rs
elasticsearch-exporter-rs copied to clipboard
vinted
Self signed certificates
Im unable to bypass the certificate warning in the application when going against an Elasticsearch server with self signed certificates.
./elasticsearch_exporter --elasticsearch_url=https://host1.example.com:9200
INFO elasticsearch_exporter > Elasticsearch: ping
WARN rustls::conn > Sending fatal alert BadCertificate
ERROR elasticsearch_exporter > error sending request for url (https://host1.example.com:9200/): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
The certificate is trusted by the system ca store and I can reach the host with curl without getting the certificate warning.
I cant find anyway to run in insecure mode or point the application towards the CA for verification.
Hi unfortunately there is no way to control insecure mode because TLS in configured in a downstream elasticsearch crate https://github.com/elastic/elasticsearch-rs/blob/master/elasticsearch/Cargo.toml#L26
I have tested this some more and can confirm that if we switch to native-tls from rustls-tls its possible to use self-signed certs for your elasticsearch cluster.
elasticsearch-exporter-rs with rustls-tls
INFO elasticsearch_exporter > Elasticsearch: ping
WARN rustls::conn > Sending fatal alert BadCertificate
ERROR elasticsearch_exporter > error sending request for url (https://host.example.com:9200/): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer
elasticsearch-exporter-rs with native-tls
INFO elasticsearch_exporter > Elasticsearch: ping
INFO elasticsearch_exporter::metadata::node_data > Elasticsearch: fetching cluster metadata
INFO elasticsearch_exporter::metadata > Elasticsearch: fetching cluster_name
INFO elasticsearch_exporter > Listening on http://0.0.0.0:9222
INFO elasticsearch_exporter::metrics::_cat::indices > Starting subsystem: cat_indices with poll interval: 15sec lifetime: 180sec
INFO elasticsearch_exporter::metrics::_cat::health > Starting subsystem: cat_health with poll interval: 15sec lifetime: 15sec
INFO elasticsearch_exporter::metrics::_nodes::stats > Starting subsystem: nodes_stats with poll interval: 15sec lifetime: 15sec
INFO elasticsearch_exporter::metrics::_stats::_all > Starting subsystem: stats with poll interval: 15sec lifetime: 15sec
INFO elasticsearch_exporter::metadata::node_data > Elasticsearch: fetching cluster metadata
Is there a reason for using rustls-tls in the Cargo.toml file or can we just switch back to native-tls as this is default for the elasticsearch-rs package.
Hey, the reason of using rust-tls is because openssl dependencies are not required, binary size is way smaller as well. I would be happy to accept PR that would allow to switch feature flags of SSL flavors.
Having problems with releasing the new docker container to the hub, might take some time. In the mean time you can you :latest docker container tag.
Have reverted the change https://github.com/vinted/elasticsearch-exporter-rs/commit/26ad582c8ef0e406260bf630d3a120098ab360cf because it breaks the build/release due to absence of opessl libraries. Needs reviewing the build process.
Good news.
Have switched back to openssl, this required to switch to debian based container as well.
- https://github.com/vinted/elasticsearch-exporter-rs/commit/829cfffa409797dd123692ded2c339828cfb1e30
- https://github.com/vinted/elasticsearch-exporter-rs/commit/9d7b17901ff63a4c4e5b4893b77c55a1ae1b82e1
- https://github.com/vinted/elasticsearch-exporter-rs/commit/b19d51d56f8cda26507c838cc3552cd9c3904974