APM-Agent not connecting to APM-Server over HTTPS

I have my Elasticsearch server and my APM-Server on in the same server.

My APM-Agent is installed on a separate server, where my application is.

The problem is that where the agent is installed the application enforces a strict HSTS policy. So when I try to send the metrics from the agent to my APM-Server on http://1.2.3.4:8200 the request is cancelled, as it's sent over plain text rather than HTTPS protocol.

I attempted to install the APM-Server on the same server as as the APM-Agent. And tell it to connected to http://localhost:8200. But that also has connection issues and doesn't work.

I looked into setting up SSL on the APM-Server but unfortunately because it's an IP and doesn't have DNS Let's Encrypt's certificates doesn't work.

If anyone can suggest a solution i'd be very grateful. I'm not really sure what to do, or if i'm missing something obvious that stops this from being a problem.

Side note: I do think having agent send data over HTTPS is a better option. I'm not sure why localhost didn't work but that would also be good option I

If you can, configure the APM Server with a self-signed SSL certificate.

After that you need to tell the APM agent not to validate the certificate using ELASTIC_APM_VERIFY_SERVER_CERT=false. Here's an example from the Node.js agent (but all the agents have this config option):

https://www.elastic.co/guide/en/apm/agent/nodejs/current/agent-api.html#validate-server-cert

Let me know if this solves your problem :slight_smile:

Thank you for replying.
I set up a self-signed certificate and added verifyServerCert: 'false'.

It worked to the point where it hit the APM-Server port.

then it gave me a net::ERR_CERT_AUTHORITY_INVALID.

I'm assuming it's the browser that's stopping that?

I tried curl -k https://apm-server:8200 and that gives me a 404 page not found.I read somewhere it means the server is working.

Ah, sorry if I misunderstood. Are you using the RUM agent? You're correct that the browser requires the https connection to be using a proper trusted certificate.

I'm using the JS agent, and I have the RUM agent enabled in my apm-server configurations.

If thats the case I'm going to have to either get a certificate from an authority that allows the use of IP addresses or give my apm-server a DNS and use Let's Encrypt.

What I'd normally recommend in a situation like this is to put a load balancer or similar proxy in front of the APM Server in which you terminate the SSL/TLS connection coming from the browser.

The communication from the proxy to the APM Server would then either happen over plain old HTTP or via a self signed certificate if you can configure your proxy to allow that.

Would that work in your scenario?

Yes, that sounds as good of solution as any.

Thank for your help.

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.