Watcher: HTTP input - verify certificate

alerting

(xixo) #1

Hi,

I'm creating a watcher to check some values with an API Restful. It is failing with this error:

[2018-02-22T19:07:00,941][ERROR][o.e.x.w.i.h.ExecutableHttpInput] [kibana] failed to execute [http] input for watch [inlined], reason [sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]

The API is listening in HTTPS but it is self-signed. I don't find any attribute to skip the certificate verification: https://www.elastic.co/guide/en/x-pack/current/input-http.html#http-input-attributes.

Any recommendations?.

Thanks.


(Lee Drengenberg) #2

You might get past this by installing your self-signed certs into your machine's certificate store. I have a test script that does this (also disables ipv6 to simplify things a bit for my case);

And I think you will have to use https if you're not already.

case $VMOS in
ubuntu)
  cp $QADIR/../certs/ca/ca.crt /usr/local/share/ca-certificates/
  cp $QADIR/../certs/elasticsearch/elasticsearch.crt /usr/local/share/ca-certificates/
  cp $QADIR/../certs/kibana/kibana.crt /usr/local/share/ca-certificates/
  update-ca-certificates

  echo "net.ipv6.conf.all.disable_ipv6 = 1" >> /etc/sysctl.conf
  echo "net.ipv6.conf.default.disable_ipv6 = 1" >> /etc/sysctl.conf
  echo "net.ipv6.conf.lo.disable_ipv6 = 1" >> /etc/sysctl.conf
  sysctl -p
  cat /proc/sys/net/ipv6/conf/all/disable_ipv6
  ;;
centos)
  # do we need sudo here?
  # sudo yum install -y ca-certificates
  sudo update-ca-trust force-enable
  cp $QADIR/../certs/ca/ca.crt /etc/pki/ca-trust/source/anchors/
  cp $QADIR/../certs/elasticsearch/elasticsearch.crt /etc/pki/ca-trust/source/anchors/
  cp $QADIR/../certs/kibana/kibana.crt /etc/pki/ca-trust/source/anchors/
  sudo update-ca-trust extract
  ;;
windows)
  certutil -addstore root $QADIR/../certs/ca/ca.crt
esac


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.