Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve trusted_ca_fingerprint warnings and fix tests #285

Merged
merged 3 commits into from
Mar 1, 2025
Merged

Improve trusted_ca_fingerprint warnings and fix tests #285

merged 3 commits into from
Mar 1, 2025
+75 −12

Conversation

strawgate
Copy link
Contributor

@strawgate strawgate commented Mar 1, 2025
edited
Loading

What does this PR do?

This PR updates the warnings that are printed in various edge cases using ca_trusted_fingerprint. I also add tests that assert the right warnings are printed in each edge case.

There were issues with the existing tests as well that I resolved.

  1. The tests didn't correctly verify that CA certs were or weren't added. For example the test "RootCA cert doesn not matche the fingerprint and is not added to cfg.RootCAs" actually did add the certificate to the cfg.RootCAs while still passing the test
  2. The test helper method that generates certificates generates a CA under unknown_authority but incorrectly marks the certificate as not being a CA certificate.

With this PR, the warning printed if the user provides the wrong fingerprint would be:
The provided 'ca_trusted_fingerprint': 'blah' does not match the fingerprint of any Certificate Authority present in the server's certificate chain. Found the following CA fingerprints instead: [8e700dc7381856dd16665b9d08286057e743bdb8fdb3dd9bb68ea19887481a48]

And when the Elasticsearch Server is missing its certificate chain it would print:
The remote server's certificate is presented without its certificate chain. Using 'ca_trusted_fingerprint' requires that the server presents a certificate chain that includes the certificates issuing certificate authority.

Today, in both of these cases it just prints: no CA certificate matching the fingerprint

Why is it important?

Users frequently try to use ca_trusted_fingerprint without realizing how significantly different the behavior of it is from providing a normal certificate.

This value is often provided via Fleet and when it doesn't work it is very hard to understand what to do next.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have added tests that prove my fix is effective or that my feature works

Related issues

elastic/beats#42970

@strawgate strawgate requested a review from a team as a code owner March 1, 2025 02:25
@strawgate strawgate requested review from AndersonQ and belimawr and removed request for a team March 1, 2025 02:25
@strawgate strawgate changed the title Improve_trusted_ca_fingerprint_warnings Improve trusted_ca_fingerprint warnings and fix tests Mar 1, 2025
@elasticmachine
Copy link
Collaborator

💚 Build Succeeded

History

@strawgate strawgate enabled auto-merge (squash) March 1, 2025 03:24
@strawgate strawgate merged commit dec2158 into main Mar 1, 2025
5 checks passed
@strawgate strawgate mentioned this pull request Mar 1, 2025
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@belimawr belimawr belimawr approved these changes

@AndersonQ AndersonQ Awaiting requested review from AndersonQ AndersonQ is a code owner automatically assigned from elastic/elastic-agent-data-plane

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@strawgate @elasticmachine @belimawr