Heartbeat can't connect to endpoint with cert and key

rdaimler · November 19, 2019, 5:56am

Hello,

I'm trying to check an endpoint that requires a cert and key. I get a Client.Timeout exceeded while awaiting headers error.

- type: http
  id: Bitbucket
  schedule: '@every 20s'
  urls: ["https://bark.tgyu.com/bitbucket"]
  # ssl.verification_mode: none
  ssl:
    certificate: /root/A/public-cert.pem
    key: /root/A/key.pem
  check.response.status: 302
  check.request.method: HEAD
  timeout: 20

I can successfully curl the endpoint from the same server.

I'm running elastic 7.1.1

Thanks,
Rob

Andrew_Cholakian1 · November 26, 2019, 12:21pm

That's a bit mysterious. We tests around that behavior that run successfully.

Can you run heartbeat without no client cert/key specified and let me know what error that gives?

rdaimler · November 26, 2019, 6:05pm

Sure,

"message": "Head https://asdf.com/bitbucket: dial tcp 123.122.33.33:443: i/o timeout (Client.Timeout exceeded while awaiting headers)"

rdaimler · November 26, 2019, 6:13pm

I tried with a ca.crt as well with the same result.

Andrew_Cholakian1 · November 26, 2019, 8:41pm

This is very strange behavior. Can you reproduce this behavior against a public endpoint? At this point to debug it I'll need:

A way to reproduce it locally
To dive into packet capture to see what's going on.

rdaimler · November 26, 2019, 10:37pm

Sure, Andrew. Can we set up a conference call? The endpoint is tightly controlled and I can't disclose how it is configured publicly.

Thanks,
Rob

rdaimler · December 16, 2019, 10:39pm

It looks like it's attempting to connect with the ip address instead of the hostname.

"message": "Head https://asd.com:443/bitbucket: dial tcp 141.118.21.67:443: i/o timeout (Client.Timeout exceeded while awaiting headers)"

I'm guessing it has to go through some extra negotiation process with the ip and can't manage to get through. There is also a reverse proxy in front of the app.

Rob

Andrew_Cholakian1 · December 17, 2019, 1:45am

Sorry for the delay here. It sounds like this is a really detailed TLS issue that might involve an out-of-spec middle-box. Can you share the exact cURL command you're using? That may help.

Our usage of TLS isn't anything special I should mention, it's just the standard golang TLS lib, so I doubt that's the issue here. If there's anything you can do to temporarily test without middleboxes as well that would be a great way to help solve this issue.

WRT to the conference call, we can't provide that level of support through the forum. If you do have a subscription that is something you can reach out to our support engineers about.

rdaimler · December 17, 2019, 1:56am

No problem. Holidays are holidays.

I'll probably follow up with support.

curl -v --cert /root/asdf/cert.pem --key /root/asdf/key.pem https://asdf.com:443/bitbucket

That works without errors.

Rob

system · January 14, 2020, 1:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Hearbeat error: x509: certificate signed by unknown authority Beats heartbeat	3	1430	May 27, 2019
Heartbeat-elastic site monitoring error (Web down) Beats heartbeat	3	1593	July 4, 2019
Heartbeat Won't Ignore SSL Verification Beats heartbeat	3	2488	November 22, 2019
Heartbeat not able to connect the HTTP Endpoint via Proxy Beats heartbeat	4	473	September 28, 2020
Heartbeat remote error: tls: handshake failure Beats elastic-stack-security , heartbeat	3	770	July 5, 2021

Heartbeat can't connect to endpoint with cert and key

Related topics