Unable to set Certificate Authority in Elastic APM


(Angela Daniels) #1

Hello,

APM error message - UNABLE_TO_VERIFY_LEAF_SIGNATURE (Certificate Authority)

It is important to state that I am not using x-pack security on my elastic cluster.

I am running elastic apm 6.5.4 and using elastic-apm-node (2.1.0). I am able to get the server to start, but there appear to be some issues with SSL. I have added the required code for configuring apm agents in my node project.

When I access a route on the server, I receive this error message.
APM Server transport error (UNABLE_TO_VERIFY_LEAF_SIGNATURE): unable to verify the first certificate

I used elasticsearch-certutil to generate a ca certificate and apm certificate and key. I have then, in my docker file placed the ca.crt, apm.crt, and apm.key in the apm-server folder. If I run the following command:

curl -v https://[hostname]:8200/v1/transactions

I receive the below response

CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
Server certificate:
subject: CN=apm
start date: Jan 21 12:20:43 2019 GMT
expire date: Jan 20 12:20:43 2022 GMT
common name: apm
issuer: CN=Elastic Certificate Tool Autogenerated CA
NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
Peer's Certificate issuer is not recognized.

  • Closing connection 0

If I curl this passing the ca certificate then I get a positive response.

Any insights into what I've done wrong? I am also pasting my apm-docker.yaml file below:

 apm-server.host: "0.0.0.0:8200"
 apm-server.ssl.enabled: true
 apm-server.ssl.certificate: "/usr/share/apm-server/apm.crt"
 apm-server.ssl.key: "/usr/share/apm-server/apm.key"

 output.elasticsearch:
  hosts: ['http://**redacted**:4200']
  protocol: "http"
  username: elastic
  password: "**redacted**"
  ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

(Andrew Wilkins) #2

At present, the Node.js agent does not support verifying self-signed certificates. If you configure the APM Server for HTTPS, then you must configure the Node.js agent to disable server certificate verification per https://www.elastic.co/guide/en/apm/agent/nodejs/current/configuration.html#validate-server-cert.

In a future version we should have support for certificate pinning. I've just opened https://github.com/elastic/apm-agent-nodejs/issues/815 to keep track of this.


(Angela Daniels) #3

Thank you!

I was able to add that property and communicate successfully with APM.


(system) closed #4

This topic was automatically closed 20 days after the last reply. New replies are no longer allowed.