Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CM] Unable to connect to TLS'd cluster for enrollment #9129

Closed
toddferg opened this issue Nov 16, 2018 · 4 comments
Closed

[CM] Unable to connect to TLS'd cluster for enrollment #9129

toddferg opened this issue Nov 16, 2018 · 4 comments
Labels
bug libbeat Management

Comments

@toddferg
Copy link
Contributor

Describe the enhancement:
When using an internal CA, or when you might have a hostname mismatch (for example: nat'd address) when enrolling in beat central management, there isn't a command line flag that gives the opportunity to specify ssl_verification: none, or specify a custom CA.

Describe a specific use case for the enhancement or feature:
In my deployments I sign from an internal CA, and need to specify the ssl settings in the configuration.
@gjelenc
Copy link

gjelenc commented Nov 21, 2018

+1

@ph ph added bug and removed enhancement labels Nov 30, 2018
@ph
Copy link
Contributor

ph commented Nov 30, 2018

I will mark it as a bug instead of an enhancement, if you want to use a custom CA the only solution at the moment would be to add the CA to the OS trust store and the enroll subcommand will pick it up.

@ph ph changed the title [beatCM] Unable to connect to TLS'd cluster for enrollment [CM] Unable to connect to TLS'd cluster for enrollment Dec 12, 2018
@ph
Copy link
Contributor

ph commented Dec 20, 2018
edited
Loading

I think we should do the following, it appears that we already support having management.kibana.tls.* The problem is this option is not used by the enroll command but they are used when we start the beat manager.

@ph
Copy link
Contributor

ph commented Dec 20, 2018

After talking with @mattapperson, since we are planning to move the enroll token to a web token we could add the CA as data in the web token and use that information when enrolling the beats.

We would still need to allow the enroll subcommand to read the configuration from the yml when using the api with the username / password.

@ph ph mentioned this issue Dec 21, 2018
Merged
ph added a commit to ph/beats that referenced this issue Jan 9, 2019
@ph
Allow to configure TLS option while enrolling
20a942b 
The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: elastic#9129
@ph ph closed this as completed in #9752 Jan 11, 2019
ph added a commit that referenced this issue Jan 11, 2019
@ph
[CM] Gracefully handle TLS options when enrolling a beats (#9752)
0a914fa 
The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: #9129
@ph ph mentioned this issue Jan 11, 2019
Merged
ph added a commit to ph/beats that referenced this issue Jan 11, 2019
@ph
[CM] Gracefully handle TLS options when enrolling a beats (elastic#9752)
3974485 
The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: elastic#9129

(cherry picked from commit 0a914fa)
@ph ph mentioned this issue Jan 11, 2019
Merged
ph added a commit to ph/beats that referenced this issue Jan 11, 2019
@ph
[CM] Gracefully handle TLS options when enrolling a beats (elastic#9752)
ff660a6 
The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: elastic#9129

(cherry picked from commit 0a914fa)
ph added a commit to ph/beats that referenced this issue Jan 11, 2019
@ph
[CM] Gracefully handle TLS options when enrolling a beats (elastic#9752)
0b183d9 
The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: elastic#9129

(cherry picked from commit 0a914fa)
@ph ph mentioned this issue Jan 11, 2019
Merged
ph added a commit that referenced this issue Jan 13, 2019
@ph
Cherry-pick #9752 to 6.x: [CM] Gracefully handle TLS options when enr…
a1b8d65 
…olling a beats (#10015)

Cherry-pick of PR #9752 to 6.x branch. Original message: 

The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: #9129
ph added a commit that referenced this issue Jan 13, 2019
@ph
Cherry-pick #9752 to 6.5: [CM] Gracefully handle TLS options when enr…
0427e38 
…olling a beats (#10017)

Cherry-pick of PR #9752 to 6.5 branch. Original message: 

The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: #9129
ph added a commit that referenced this issue Jan 13, 2019
@ph
Cherry-pick #9752 to 6.6: [CM] Gracefully handle TLS options when enr…
f643668 
…olling a beats (#10016)

Cherry-pick of PR #9752 to 6.6 branch. Original message: 

The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: #9129
@ph ph mentioned this issue Jan 23, 2019
Closed
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@ph
Cherry-pick elastic#9752 to 6.6: [CM] Gracefully handle TLS options w…
d1753df 
…hen enrolling a beats (elastic#10016)

Cherry-pick of PR elastic#9752 to 6.6 branch. Original message: 

The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: elastic#9129
leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
@ph
Cherry-pick elastic#9752 to 6.5: [CM] Gracefully handle TLS options w…
d0c3320 
…hen enrolling a beats (elastic#10017)

Cherry-pick of PR elastic#9752 to 6.5 branch. Original message: 

The `enroll` subcommand allow to specify the CA and other SSL options when
enrolling. Any TLS options will be persisted to the file and will be
used when fetching the configuration.

```
./filebeat enroll https://localhost:5601 d2eec88904f546f2816ce58061781c3d  -E "management.kibana.ssl.certificate_authorities=/tmp/myca.crt"
```
Fixes: elastic#9129
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug libbeat Management
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ph @gjelenc @toddferg