Heartbeat can't connect to endpoint with cert and key


I'm trying to check an endpoint that requires a cert and key. I get a Client.Timeout exceeded while awaiting headers error.

- type: http
  id: Bitbucket
  schedule: '@every 20s'
  urls: ["https://bark.tgyu.com/bitbucket"]
  # ssl.verification_mode: none
    certificate: /root/A/public-cert.pem
    key: /root/A/key.pem
  check.response.status: 302
  check.request.method: HEAD
  timeout: 20

I can successfully curl the endpoint from the same server.

I'm running elastic 7.1.1


That's a bit mysterious. We tests around that behavior that run successfully.

Can you run heartbeat without no client cert/key specified and let me know what error that gives?


"message": "Head https://asdf.com/bitbucket: dial tcp i/o timeout (Client.Timeout exceeded while awaiting headers)"

I tried with a ca.crt as well with the same result.

This is very strange behavior. Can you reproduce this behavior against a public endpoint? At this point to debug it I'll need:

  1. A way to reproduce it locally
  2. To dive into packet capture to see what's going on.

Sure, Andrew. Can we set up a conference call? The endpoint is tightly controlled and I can't disclose how it is configured publicly.


It looks like it's attempting to connect with the ip address instead of the hostname.

"message": "Head https://asd.com:443/bitbucket: dial tcp i/o timeout (Client.Timeout exceeded while awaiting headers)"

I'm guessing it has to go through some extra negotiation process with the ip and can't manage to get through. There is also a reverse proxy in front of the app.


Sorry for the delay here. It sounds like this is a really detailed TLS issue that might involve an out-of-spec middle-box. Can you share the exact cURL command you're using? That may help.

Our usage of TLS isn't anything special I should mention, it's just the standard golang TLS lib, so I doubt that's the issue here. If there's anything you can do to temporarily test without middleboxes as well that would be a great way to help solve this issue.

WRT to the conference call, we can't provide that level of support through the forum. If you do have a subscription that is something you can reach out to our support engineers about.

No problem. Holidays are holidays.

I'll probably follow up with support.

curl -v --cert /root/asdf/cert.pem --key /root/asdf/key.pem https://asdf.com:443/bitbucket

That works without errors.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.