Webhook action with https fails


I'm trying to https-enable a webhook-action, which works fine over plain http. The endpoint is nginx server, where ssl-setup is verified and working. Watcher webhook to the same server works fine over https. I understand that actions-webook uses another method (axios) for the webhook and am looking for a proper way to debug that part.

Debugged the traffic in wireshark and and found out that after client key exchange the nginx server sends "change cipher spec" message, and after that kibana (or axios) just replies with TCP FIN and terminates the connection. I suspect the axios in the kibana end is failing to agree on ciphers and just dies away.

Any suggestions how to dig deeper in this issue? Where can I even tune ssl-options for axios (CA, cipher suite etc)? And most importantly, how to get more verbose logging? Kibana's verbose -option for logging does not give specifics on why the connection dies. I've seen some people have managed to catch the actual exception also, but I have no clue where that takes place.

Have not yet tried 7.12, still using 7.9.

Thanks in advance!

Managed to get this work. Could not find any info from the logs on why the failure was occuring, but figured out that it might be CA-issue. We use self-signed CA, which was configured correctly in kibana.yml. But when using alert / actions via axios -module, it does not care about what is written in there. Instead, it relies on it's own definition for custom CA's, which have to be provided via environment-variable NODE_EXTRA_CA_CERTS.

Might be good idea to point these things out in the documention of the actions/connectors for example.

Thanks for the comment, and you're right. We also have some kibana config that can help here, and may be required in some environments if the env var can't be used. See Alerting and action settings in Kibana | Kibana Guide [7.12] | Elastic xpack.actions.rejectUnauthorized

I opened issue [docs][actions] add info on custom TLS settings to webhook doc · Issue #98924 · elastic/kibana · GitHub to track this - again, thanks!

We also recently merged some code, that should appear in a future release, to allow for per-host customization of CA's. https://github.com/elastic/kibana/pull/96630


Thanks a bunch! Nice to know things are going forward on this issue, too. I found the reference to the xpack.actions.rejectUnauthorized -option, but as we have to actually verify the self-signed certificates, this could not be used.