Fix Kibana Auth Plugin issue: authentication is disabled when SSL validation is enabled!

[peterellisjones]

The Kibana auth plugin does not currently trust system certificates by default. When kibana-auth.cloudfoundry.skip_ssl_validation is false, the Kibana auth plugin fails to load and Kibana ignores failed plugins and then continues to load without authentication! The Kibana stderr logs indicate that the plugin fails to load due to a certificate error:

==> /var/vcap/sys/log/kibana/kibana.stderr.log <==
config.ERROR fetching CF info from "https://<SYSTEM_DOMAIN>/v2/info { Error: unable to get local issuer certificate
    at TLSSocket.onConnectSecure (_tls_wrap.js:1058:34)
    at TLSSocket.emit (events.js:198:13)
    at TLSSocket._finishInit (_tls_wrap.js:636:8) code: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' }

This fix sets NODE_EXTRA_CA_CERTS to the system certificate bundle for Ubuntu if this file exists, which allows the Kibana auth plugin to load successfully, and therefore enabling authentication for Kibana.

We have tested this script by manually editing config.sh on a running instance and verifying that it fixes the issue.

[axelaris]

Hi @peterellisjones, thank you for contribution! I knew about that issue and merged a fix PR (#351 ) just 4 days ago ;-) It uses another approach, but I believe also fixes the issue. How do you think - does your PR still make sense?

[peterellisjones]

Hi @axelaris,

From what I can tell #351 doesn't fix the issue, it just errors and tells the user to set kibana-auth.cloudfoundry.skip_ssl_validation=true. However I don't want to and shouldn't need to skip SSL validation — this is a security risk. My certificate is a valid root CA installed in the default ubuntu system CA certificates directory via the bosh trusted_certs property. The problem is that NodeJS is not reading CA certificates from this directory, hence the need for setting NODE_EXTRA_CA_CERTS parameter.

kind regards,

Pete

[axelaris]

Thank you, @peterellisjones, that makes sense!

[peterellisjones]

Thanks Alexey!