My frontend application uses https, so does apmserver need to use the same ca certificate?

Architecture


Not all services use https

question.1
Is a certificate required between apm agent and apm server?

question.2
Does the apm agent on the frontend application need to use the same certificate as the frontend?

question.3
If apmserver does not use https, can the complete link from front-end to back-end be fully recorded?

Hi @wajika,
using HTTPS for APM agent/server communication is generally not required, but strongly recommended. As soon as you run the server with apm-server.ssl.enabled=true all agents need to connect via HTTPS. The configuration of SSL has no impact on distributed tracing (recording a trace over frontend and backend services).
When using the RUM agent, you do not configure the certificate directly in the agent, but in the browser.


So how to solve this kind of prompt?

It looks like you have configured an http endpoint instead of https for the APM Server. The RUM documentation shows how to configure the APM Server endpoint.

If apmserver enables https, then my other backend applications do not use https. Does it affect them?

I use the certificate generated by "elasticsearch-certutil http", can apmserver use it to enable https?

apm-server.ssl.enabled: true
apm-server.ssl.key: "/etc/pki/instance.key"
apm-server.ssl.certificate: "/etc/pki/instance.crt"

question.1
Is a certificate required between apm agent and apm server?

As Silvia said, generally not required but recommended.

In your specific case, however: since the frontend application is serving requests over HTTPS, you will need to enable TLS in apm-server for the RUM agent to be able to send data successfully. This is a requirement specific to browser/frontend applications.

question.2
Does the apm agent on the frontend application need to use the same certificate as the frontend?

The APM agent doesn't need to use a certificate, the APM server does. They do not need to be the same, but they could be if they run on the same host (or if you use a reverse proxy). As long as the browser can verify the server certificate, then it will work.

If apmserver enables https, then my other backend applications do not use https. Does it affect them?

You will need to configure the agents for the backend applications to communicate with the APM Server using TLS. Whether the backend application uses HTTPS or not doesn't matter.

I use the certificate generated by "elasticsearch-certutil http", can apmserver use it to enable https?

Yes, but you will need to install the CA certificate in your browser then. I generally would not recommend this approach, but it depends on your application and userbase.

How did you generate the frontend certificate? Is the frontend accessible through the internet, or is this an intranet application?

@axw Thank you for your reply.

I used nginx proxy to resolve the TLS of the frontend application before apmserver (use frontend TLS certificate).

How did you generate the frontend certificate?
Self signed certificate

Is the frontend accessible through the internet, or is this an intranet application?
The frontend application is deployed in an internal cluster

In that case, perhaps the simplest thing for you would be to have nginx proxy to APM Server as well, rather than configuring TLS in APM Server.

@axw Yes, this tip is good, I use this method now.