Webhook https , ignoring verification of certificate

micjaesc · July 20, 2015, 6:35am

Hi,
Is there any way to skip SSL validation when sending notification?

Presently I have

"actions": [
{
"id": "SLACK_notify",
"type": "webhook",
"status": "failure",
"reason": "SSLHandshakeException[java.security.cert.CertificateException: No name matching hooks.slack.com found]; nested: CertificateException[No name matching hooks.slack.com found]; "
}
]

It would be great to have similar options as curl has, means:
"If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."

I have SSL proxy, it will be difficult to "fix" infrastructure. I don't need verification of certificate.

Best Regards
Michal

warkolm · July 20, 2015, 6:37am

If you aren't doing validation why even bother with SSL?

micjaesc · July 20, 2015, 8:07am

Not sure if understand correctly Your question.
I'm forced to use https (the only way provided by slack)

"webhook" : {
"method" : "POST",
"scheme" : "https",
"port" : 443,
"host" : "hooks.slack.com")

Unfortunately I have some wrong SSL proxy (in the middle), which causes SSLHandshakeException on watcher side.

warkolm · July 23, 2015, 12:07am

Using SSL and then turning off validation makes SSL useless. You might as well just run HTTP.

pgs · January 13, 2016, 6:11pm

I don't know how to ignore the certificate but you can add your CA cert to be trusted:

Add this line to /etc/default/elasticsearch
ES_JAVA_OPTS=-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts

2.) Add your CA certificate to the keystore:
keytool -import -trustcacerts -alias XYZ -file /tmp/cert.pem -keystore /etc/pki/java/cacerts

3.) Restart

spinscale · January 14, 2016, 8:50am

Hey,

using the watcher.http.ssl.keystore.{path,password,key_password,algorithm} settings, one can also use a dedicated keystore for the http input/webhook action, which is also used as truststore, unless you are using shield, which uses it's own.

--Alex

Mike.Barretta · November 27, 2017, 11:27pm

For posterity (and v5-6), you can disable cert verification in watcher via a setting: Watcher settings in Elasticsearch | Elasticsearch Guide [8.11] | Elastic

xpack.http.ssl.verification_mode
Controls the verification of certificates. Valid values are none, certificate, and full. Defaults to the value of xpack.ssl.verification_mode.