Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Private certs no longer function on the new Elastic Agent Complete Image for Journeys #717

Open
roygabriel opened this issue Mar 22, 2023 · 1 comment
Open

Private certs no longer function on the new Elastic Agent Complete Image for Journeys #717

roygabriel opened this issue Mar 22, 2023 · 1 comment

Comments

@roygabriel
Copy link

roygabriel commented Mar 22, 2023
edited

Issue Description

When private certificates are added to the system certificate store, browser synthetics(journeys) do not use these and SSL certificate errors are present on the journeys, unless HTTPS is turned off(not something most enterprise users want to do).

This is the error users receive in the Kibana Uptime UI
ERR_CERT_AUTHORITY_INVALID at https://some-url/

Issue Root Cause

This was not a issue that was present when the Elastic Agent Complete image used CentOs and has been present since the switch to Ubuntu. Browser Synthetics use Playwright with headless Chromium to run the journeys. In Centos headless Chromium will trust the system certificate store and use those private certificates. In Ubuntu that no longer holds true and headless Chromium will only trust the Chromium certificate store for private certificates.

Proposed Solution

Below is the snippet of sanitized code I am using to build the docker image for use on private locations with private certificates. In our privately hosted enterprise environment this solves the noted issue. I'd like to confirm this method is the solution for this, and if so can this be documented so other users can easily find the solution.

FROM docker.elastic.co/beats/elastic-agent-complete:8.6.2
USER root
# Installing certutils for later use to install private certs in the chromium certificate store
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y libnss3-tools

# Copying private certs from a private artifact registry to the image
WORKDIR /usr/local/share/ca-certificates/
RUN curl -k "https://some-private-artifact-registry/privateCrt1.cer" -o privateCrt1.crt && \
    curl -k "https://some-private-artifact-registry/privateCrt2.cer" -o privateCrt2.crt

# Update-ca-certificates is done so lightweight monitors can use private certificates
RUN chmod 644 /usr/local/share/ca-certificates/*
RUN update-ca-certificates

WORKDIR /usr/share/elastic-agent
USER elastic-agent

# Generating the nssdb Chromium certificate store
RUN mkdir -p /usr/share/elastic-agent/.pki/nssdb && \
    certutil -d /usr/share/elastic-agent/.pki/nssdb -N --empty-password

# Adding private certificates to the Chromium certificate store for use in Journeys
RUN certutil -A -n "privateCrt1" -d /usr/share/elastic-agent/.pki/nssdb -t C,, -a -i /usr/local/share/ca-certificates/privateCrt1.crt && \
    certutil -A -n "privateCrt2" -d /usr/share/elastic-agent/.pki/nssdb -t C,, -a -i /usr/local/share/ca-certificates/privateCrt2.crt

USER root
# Removing certutil as its no longer needed
RUN apt update && apt remove -y libnss3-tools && rm -rf /var/lib/apt/lists/*

USER elastic-agent
This was referenced Apr 12, 2023
Open
Closed
@pa-jberanek
Copy link

Thanks for this Dockerfile - it did the job very nicely for us, just with an update to the base version. 👍

@nerophon nerophon mentioned this issue Apr 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pa-jberanek @roygabriel