Hi there,
I'm using APM-Server and APM-Agents clients in go and Java.
I'm moving to use https, but I'm using a private CA to issue server certificates (it is the same CA used for logstash, elastic and beat client authentication).
I see in Ruby implementation there is a ELASTIC_APM_SERVER_CA_CERT param, but this is missing in Java and Go agent impls. There is an ELASTIC_APM_SERVER_CERT param, but this is not practical to use, since in our environment there are multiple APMserver nodes.
In Java I assume I need to put the CA certificate in the Java TrustStore. What is the correct pattern in Go?
I would avoid to put ELASTIC_APM_VERIFY_SERVER_CERT to false
Yes, in Java you can configure the trust store.
Currently the Go agent does not provide configuration for this. I've opened https://github.com/elastic/apm-agent-go/issues/752 to add it. In the mean time, you could do this in code if you're so inclined:
package main
import (
"crypto/x509"
"io/ioutil"
"net/http"
"go.elastic.co/apm"
"go.elastic.co/apm/transport"
)
func main() {
apmTransport := apm.DefaultTracer.Transport.(*transport.HTTPTransport)
httpTransport := apmTransport.Client.Transport.(*http.Transport)
pem, err := ioutil.ReadFile("/path/to/ca.pem")
if err != nil {
// ...
}
caCerts := x509.NewCertPool()
caCerts.AppendCertsFromPEM(pem)
httpTransport.TLSClientConfig.RootCAs = caCerts
}
One of my colleagues pointed out that on UNIX(-like) systems, you can also set the SSL_CERT_FILE environment variable to override the system default location for certs. This would be effectively the same as setting the future ELASTIC_APM_SERVER_CA_CERT environment variable.
This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.