Haproxy module does not honour ssl.verification_mode: 'none'

cafuego · November 7, 2019, 6:32am

Our hosting provider runs haproxy for us and we have access to the stats interface. We have been using a custom script to extract stats, but since metricbeat has a haproxy module, it would be nice to use that instead.

The stats backend is available over HTTPS with authentication and a self-signed certificate. I have no control over that. I found the various options I should use to configure that, and even appended the trailing slash on the URL so that the port number does not get ";csv" appended, but I cannot get it to work.

It looks as if the ssl.verification_mode: none is ignored, as the error I get when testing the config is: x509: cannot validate certificate for 10.5.101.1 because it doesn't contain any IP SANs

Config:

- module: haproxy
  metricsets: ["stat"]
  hosts: ["https://10.5.101.1:7500/"]
  ssl.verification_mode: 'none'
  username: 'user'
  password: 'pass'
  period: 10s
  enabled: true

Output:

haproxy...
  stat...
    error... ERROR failed fetching haproxy stat: couldn't connect: Get https://user:pass@10.5.101.1:7500/;csv: x509: cannot validate certificate for 10.5.101.1 because it doesn't contain any IP SANs

To the best of my understanding, it should not be trying to validate the cert at all! This is metricbeat 6.8.4 running in a docker container. The other modules I have enabled work fine (but don't get their data off a HTTPS url)

cafuego · November 7, 2019, 10:03pm

Update: using docker ip/hostname mapping to assign short (and then full) hostnames to check produces different errors, eventually culminating in "x509: certificate signed by unknown authority" so most definitely the module tries to verify the cert, despite being told not to.

exekias · November 15, 2019, 9:03am

Hi @cafuego,

I think you are right, haproxy doesn't allow for SSL settings. Could you please open a new issue to request this in our repo? https://github.com/elastic/beats/issues/new?template=feature-request.md

As a workaround, have you considered using unix sockets for this?

Best regards

cafuego · November 18, 2019, 5:09am

Hi @exekias,

I have no access (except via https) to the haproxy instances, so I can't access the socket file on the haproxy hosts.

Issue is https://github.com/elastic/beats/issues/14579

system · December 16, 2019, 7:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can’t get HAPROXY to send stats or info data to Metricbeat Beats beats-module , metricbeat	4	195	April 9, 2024
Metricbeat: haproxy module - Error converting param to Beats metricbeat	3	808	April 3, 2018
Haproxy module authentication Beats metricbeat	3	1139	November 22, 2017
HAProxy module has issues with metricbeat Beats metricbeat	2	1575	April 8, 2017
Metricbeat showing "server's certificate chain verification is disabled" Beats docker , metricbeat	10	2837	February 7, 2022

Haproxy module does not honour ssl.verification_mode: 'none'

Related topics