Webhook and SSL issue

petedells · September 9, 2019, 8:49pm

I am generating a https webhook and receive the error below (I am using self-assigned certificates and added them already to the keystore)

"actions": [
{
"id": "my_webhook",
"type": "webhook",
"status": "failure",
"error": {
"root_cause": [
{
"type": "s_s_l_handshake_exception",
"reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
}
],
"type": "s_s_l_handshake_exception",
"reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"caused_by": {
"type": "validator_exception",
"reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
"caused_by": {
"type": "sun_cert_path_builder_exception",
"reason": "unable to find valid certification path to requested target"
}
}
}
},

ikakavas · September 10, 2019, 9:54am

Which keystore did you add these to ?

You can specify the necessary trust configuration for watcher, see Watcher settings in Elasticsearch | Elasticsearch Guide [7.3] | Elastic.

For example:

xpack.http.ssl.certificate_authorities: ["/path/to/your/selfsigned/cert"]

would work fine

petedells · September 10, 2019, 2:41pm

This is my configuration:

xpack.http.ssl.key: certs_pem/privatekey
xpack.http.ssl.certificate: certs_pem/elastic_node.cert
xpack.http.ssl.certificate_authorities: ["/etc/elasticsearch/certs_pem/ca.cert"]

I still receive the same error.

ikakavas · September 10, 2019, 2:47pm

The webhook action is used to send an http request to a web service. You have mentioned that this web service is using a self signed certificate. So the code that makes this request needs to trust the web service self-signed certificate. And this is configured by xpack.http.ssl.certificate_authorities

Why did you add this ? Is the web service that you connect to requiring that you perform client TLS authentication ? If not, you shouldn't be sending a client certificate.

This would only work if the certificate that your web service uses for TLS is signed by ca.cert, is this the case ?

petedells · September 10, 2019, 3:26pm

I left alone just this part:

pack.security.http.ssl.certificate_authorities: ["/etc/elasticsearch/ca/mycert_1.cert", "/etc/elasticsearch/ca/mycert_2.cert"]

Still the same error.

ikakavas · September 10, 2019, 3:29pm

You don't offer any context or details so it becomes really hard to help you. We can't know if this configuration is fine or not, as we don't know what mycert_2.cert or mycert_1.cert is, how you created them, where these are used, how do they relate to the web service you want to connect to with the webhook

petedells · September 11, 2019, 1:17pm

Figured it out. The problem was that the destination for the webhook is utilizing different certificate for web traffic and webhooks after adding also the one for the webhook error disappeared.

system · October 9, 2019, 1:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.