Webhook https , ignoring verification of certificate

alerting

#1

Hi,
Is there any way to skip SSL validation when sending notification?

Presently I have

"actions": [
{
"id": "SLACK_notify",
"type": "webhook",
"status": "failure",
"reason": "SSLHandshakeException[java.security.cert.CertificateException: No name matching hooks.slack.com found]; nested: CertificateException[No name matching hooks.slack.com found]; "
}
]

It would be great to have similar options as curl has, means:
"If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option."

I have SSL proxy, it will be difficult to "fix" infrastructure. I don't need verification of certificate.

Best Regards
Michal


(Mark Walkom) #2

If you aren't doing validation why even bother with SSL?


#3

Not sure if understand correctly Your question.
I'm forced to use https (the only way provided by slack)

"webhook" : {
"method" : "POST",
"scheme" : "https",
"port" : 443,
"host" : "hooks.slack.com")

Unfortunately I have some wrong SSL proxy (in the middle), which causes SSLHandshakeException on watcher side.


(Mark Walkom) #4

Using SSL and then turning off validation makes SSL useless. You might as well just run HTTP.


#5

I don't know how to ignore the certificate but you can add your CA cert to be trusted:

  1. Add this line to /etc/default/elasticsearch
    ES_JAVA_OPTS=-Djavax.net.ssl.trustStore=/etc/pki/java/cacerts

2.) Add your CA certificate to the keystore:
keytool -import -trustcacerts -alias XYZ -file /tmp/cert.pem -keystore /etc/pki/java/cacerts

3.) Restart


(Alexander Reelsen) #6

Hey,

using the watcher.http.ssl.keystore.{path,password,key_password,algorithm} settings, one can also use a dedicated keystore for the http input/webhook action, which is also used as truststore, unless you are using shield, which uses it's own.

--Alex


SSLHandshakeException while using webhook action in watcher
(system) closed #7

(Mike Barretta) #8

For posterity (and v5-6), you can disable cert verification in watcher via a setting: https://www.elastic.co/guide/en/elasticsearch/reference/current/notification-settings.html#ssl-notification-settings

xpack.http.ssl.verification_mode
Controls the verification of certificates. Valid values are none, certificate, and full. Defaults to the value of xpack.ssl.verification_mode.