APM-Agent not connecting to APM-Server over HTTPS

(Mohamed Salih) #1

I have my Elasticsearch server and my APM-Server on in the same server.

My APM-Agent is installed on a separate server, where my application is.

The problem is that where the agent is installed the application enforces a strict HSTS policy. So when I try to send the metrics from the agent to my APM-Server on the request is cancelled, as it's sent over plain text rather than HTTPS protocol.

I attempted to install the APM-Server on the same server as as the APM-Agent. And tell it to connected to http://localhost:8200. But that also has connection issues and doesn't work.

I looked into setting up SSL on the APM-Server but unfortunately because it's an IP and doesn't have DNS Let's Encrypt's certificates doesn't work.

If anyone can suggest a solution i'd be very grateful. I'm not really sure what to do, or if i'm missing something obvious that stops this from being a problem.

Side note: I do think having agent send data over HTTPS is a better option. I'm not sure why localhost didn't work but that would also be good option I

(Thomas Watson) #2

If you can, configure the APM Server with a self-signed SSL certificate.

After that you need to tell the APM agent not to validate the certificate using ELASTIC_APM_VERIFY_SERVER_CERT=false. Here's an example from the Node.js agent (but all the agents have this config option):


Let me know if this solves your problem :slight_smile:

(Mohamed Salih) #3

Thank you for replying.
I set up a self-signed certificate and added verifyServerCert: 'false'.

It worked to the point where it hit the APM-Server port.

then it gave me a net::ERR_CERT_AUTHORITY_INVALID.

I'm assuming it's the browser that's stopping that?

I tried curl -k https://apm-server:8200 and that gives me a 404 page not found.I read somewhere it means the server is working.

(Thomas Watson) #4

Ah, sorry if I misunderstood. Are you using the RUM agent? You're correct that the browser requires the https connection to be using a proper trusted certificate.

(Mohamed Salih) #5

I'm using the JS agent, and I have the RUM agent enabled in my apm-server configurations.

If thats the case I'm going to have to either get a certificate from an authority that allows the use of IP addresses or give my apm-server a DNS and use Let's Encrypt.

(Thomas Watson) #6

What I'd normally recommend in a situation like this is to put a load balancer or similar proxy in front of the APM Server in which you terminate the SSL/TLS connection coming from the browser.

The communication from the proxy to the APM Server would then either happen over plain old HTTP or via a self signed certificate if you can configure your proxy to allow that.

Would that work in your scenario?

(Mohamed Salih) #7

Yes, that sounds as good of solution as any.

Thank for your help.

(system) #8

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.

(system) #9