Crypto/rsa: verification error - using heartbeat

Peter_Steenbergen · July 1, 2020, 7:43am

Hi,
I am getting a crypto/rsa error: verification error with heartbeat version 7.4.2.
The website is using LetsEncrypt and the SSL was verified with ssllabs with a grade of A.

What can be the issue here?

- type: http
  id: monitor-1
  name: monitor-1
  enabled: true
  schedule: '@every 60s'
  urls: ["https://marccornelius.nl/"]
  ipv4: true
  ipv6: true
  mode: any
  timeout: 15s
  check.request:
    headers:
      'User-Agent': 'heartbeat'
  check.response.status: 200
  ssl.verification_mode: none

xeraa · July 2, 2020, 11:46am

So the problem is that you have set ssl.verification_mode: none and you still get a verification error? Or that you get a verification error for a certificate that should actually be valid?

Peter_Steenbergen · July 2, 2020, 12:09pm

The heartbeat gives an error, but not a logical one. All the browsers are redirecting to the www. variant of that domain correctly.
So I would expect that the error would be: Received status of 301 should be 200 error.

In this case it seems that the certificate is not matching the domain (server signed looks like it) and gives some kind of crypto-error. With the SSL verification_mode to false I would guess that there should not a crypto error based on the SSL.

xeraa · July 2, 2020, 12:25pm

This was changed in 7.6: https://github.com/elastic/beats/pull/14125
There won't be any changes / fixes for 7.4.

Is that closer to the behavior you are expecting?

Peter_Steenbergen · July 2, 2020, 12:47pm

Hmm this is for the redirects. The redirects is a step further. In this case the host gives prematurely an error based on the crypto of the domain. The HTTP.go client gives the error (or seems like it)

xeraa · July 3, 2020, 12:51am

So what's the full error or stacktrace — just crypto/rsa error: verification error?

And I assume it's also not related to https://github.com/elastic/beats/issues/17123 (I think we hit that internally on some demos).

Peter_Steenbergen · July 3, 2020, 7:21am

Hi Philipp,
This is the full description I see in Uptime and in Discover:

Error
Get https://www.marccornelius.nl/: crypto/rsa: verification error

I will try a newer version later this weekend. But there was a reason I am using 7.4.2 because with newer version when a yml is not correct all the other ymls will also skipped and heartbeat will not run.

system · July 31, 2020, 9:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.