Haproxy module does not honour ssl.verification_mode: 'none'

cafuego · November 7, 2019, 6:32am

Our hosting provider runs haproxy for us and we have access to the stats interface. We have been using a custom script to extract stats, but since metricbeat has a haproxy module, it would be nice to use that instead.

The stats backend is available over HTTPS with authentication and a self-signed certificate. I have no control over that. I found the various options I should use to configure that, and even appended the trailing slash on the URL so that the port number does not get ";csv" appended, but I cannot get it to work.

It looks as if the ssl.verification_mode: none is ignored, as the error I get when testing the config is: x509: cannot validate certificate for 10.5.101.1 because it doesn't contain any IP SANs

Config:

- module: haproxy
  metricsets: ["stat"]
  hosts: ["https://10.5.101.1:7500/"]
  ssl.verification_mode: 'none'
  username: 'user'
  password: 'pass'
  period: 10s
  enabled: true

Output:

haproxy...
  stat...
    error... ERROR failed fetching haproxy stat: couldn't connect: Get https://user:pass@10.5.101.1:7500/;csv: x509: cannot validate certificate for 10.5.101.1 because it doesn't contain any IP SANs

To the best of my understanding, it should not be trying to validate the cert at all! This is metricbeat 6.8.4 running in a docker container. The other modules I have enabled work fine (but don't get their data off a HTTPS url)

cafuego · November 7, 2019, 10:03pm

Update: using docker ip/hostname mapping to assign short (and then full) hostnames to check produces different errors, eventually culminating in "x509: certificate signed by unknown authority" so most definitely the module tries to verify the cert, despite being told not to.

exekias · November 15, 2019, 9:03am

Hi @cafuego,

I think you are right, haproxy doesn't allow for SSL settings. Could you please open a new issue to request this in our repo? https://github.com/elastic/beats/issues/new?template=feature-request.md

As a workaround, have you considered using unix sockets for this?

Best regards

cafuego · November 18, 2019, 5:09am

Hi @exekias,

I have no access (except via https) to the haproxy instances, so I can't access the socket file on the haproxy hosts.

Issue is https://github.com/elastic/beats/issues/14579

system · December 16, 2019, 7:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can’t get HAPROXY to send stats or info data to Metricbeat Beats beats-module , metricbeat	4	193	April 9, 2024
Metricbeat: haproxy module - Error converting param to Beats metricbeat	3	808	April 3, 2018
Metricbeat showing "server's certificate chain verification is disabled" Beats docker , metricbeat	10	2827	February 7, 2022
MetricBeat tomcat module with HTTPS Beats metricbeat	7	1466	March 31, 2020
Error fetching data for metricset haproxy.info: failed fetching haprox info: not supported Beats metricbeat	1	668	October 1, 2021

Haproxy module does not honour ssl.verification_mode: 'none'

Related Topics