Metricbeat showing "server's certificate chain verification is disabled"

Elastic Stack Beats
,
1

Hello,

As far as I can see, I've set up Metricbeat to correctly validate/use SSL, but it still gives the following warning when running 'metricbeat test output':
server's certificate chain verification is disabled

My configuration for metricbeat looks like this:

metricbeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    # Reload module configs as they change:
    reload.enabled: false

metricbeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true

metricbeat.modules:
  - module: docker
    metricsets:
      - "container"
      - "cpu"
      - "diskio"
      - "healthcheck"
      - "info"
      - "memory"
      - "network"
    hosts: ["unix:///var/run/docker.sock"]
    period: 10s
    enabled: true

processors:
  - add_cloud_metadata: ~

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:}'
  username: '${ELASTICSEARCH_USERNAME:}'
  password: '${ELASTICSEARCH_PASSWORD:}'
  ssl:
    enabled: true
    verification_mode: "full"
    supported_protocols: ["TLSv1.2", "TLSv1.3"]
    certificate_authorities: ["/etc/certificates/ca.crt"]
    certificate: "/etc/certificates/component.crt"
    key: "/etc/certificates/component.key"

The connection is fully working, as I can see no error from the logs of metricbeat itself and I can also see metrics showing up in Elasticsearch. I've looked through all possible SSL options to configure, but none of them seem to cover this.

Does anyone have any idea here?

2

A bit of help here would be appreciated. I wonder if the warning is correct at all to be honest.

3

Could you try to connect to the Elasticsearch instance using openssl client?

What's behind the var ELASTICSEARCH_HOSTS? Is it an IP address or DNS name?

4

Hello Marcin, thanks for replying!

The contents of ELASTICSEARCH_HOSTS is:

["https://01-elasticsearch-dev.internal:9200","https://02-elasticsearch-dev.internal:9200","https://03-elasticsearch-dev.internal:9200"]

And using openssl s_client -CAfile ./config/certificates/ca.crt -showcerts -connect 01-elasticsearch-dev.internal:9200 I get the following:

CONNECTED(00000003)
depth=1 C = NL, O = Forion, CN = dev Forion CA
verify return:1
depth=0 C = NL, O = Forion, CN = 01-elasticsearch-dev.internal
verify return:1
---
<snip>
<full certificate chain including CA + server certificate>
<snip>
---
Server certificate
subject=/C=NL/O=Forion/CN=01-elasticsearch-dev.internal
issuer=/C=NL/O=Forion/CN=dev Forion CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6544 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
<snip>
    Start Time: 1636453514
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

All looks good as far as I can see.

5

@mtojek or anyone else, any idea?

6

Anyone any idea already? :slight_smile:

7

I have exactly the same warning from all beat types when testning the connection to Logstash. The warning started when upgrading the beats to version 7.15.0 using TLS version 1.2.

This is pretty annoying since we have service providers to deploy our beats packages on the host. We deliver the packages with Chocotey or apt.

Any help would be appreiciated.

BR
Flemming

8

Anyone up for the challenge? :slight_smile:

9

Hi, try setting verification_mode to strict, it should remove the warning. Configure SSL | Metricbeat Reference [7.16] | Elastic

10

Wow, thanks @Mattias_Brunnert . That indeed solved the issue. Man, I really thought 'full' is the maximum security setting you could select. But apparently 'strict' is more 'full' :slight_smile:

Glad to get it resolved :slight_smile:

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.