Open AndersonQ opened 7 months ago
Pinging @elastic/fleet (Team:Fleet)
The TLS config should be correctly formatted as it happens for the ES output and others
To be clear, we expect this certificate to be formatted with the >-
YML block-chomping operator, as we do in other policy objects. Is that correct @AndersonQ?
The TLS config should be correctly formatted as it happens for the ES output and others
To be clear, we expect this certificate to be formatted with the
>-
YML block-chomping operator, as we do in other policy objects. Is that correct @AndersonQ?
@kpollich, not really. The issue here is that the certificate has 2 of its line on the same line. It should be formatted like that:
-----BEGIN CERTIFICATE-----
MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot
-----END CERTIFICATE-----
Besides I believe the ahgent receives it as json I believe the issue comes from the type of input used on the add proxy "page". If you look at the input fields for the TLS config on the add logstash output "page", you'll see it's the bit text field.
textarea
text
So for the proxy, the field forces the whole text to be on a single line and I believe it's losing the correct line breaks.
and it can be seen in the policy stored on .fleet-policies
:
"outputs": {
"596add4e-78f7-45a4-9e34-50acf71d3773": {
"type": "logstash",
"hosts": [
"127.0.0.1:4242"
],
"ssl": {
"certificate": """-----BEGIN CERTIFICATE-----
MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot
-----END CERTIFICATE-----
""",
"certificate_authorities": []
},
"secrets": {
"ssl": {
"key": {
"id": "JVzKdo4Bp8p83IV2FruP"
}
}
}
},
[...]
"fleet": {
"hosts": [
"https://d45b956c801e4d8d8ea56ff23661a9ab.fleet.us-central1.gcp.cloud.es.io:443"
],
"proxy_url": "http://127.0.0.1:8888",
"ssl": {
"renegotiation": "never",
"verification_mode": "",
"certificate": "-----BEGIN CERTIFICATE----- MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1 MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5 KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B 2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot -----END CERTIFICATE-----",
"key": "-----BEGIN EC PRIVATE KEY----- MIGkAgEBBDC3lM5k4aqpSK4tn/nI0almgDDt4ifb6zrKg4/2jJWD1GHQwvVG4yhl AKp/N44rdDKgBwYFK4EEACKhZANiAASuh7Mqd4ywHb7qBMY48n4XfevXMi9rOSlS 6d96P/EQ/aPy6GWz61zU5qqyUhbt7PMvCfE09Ro7/4RpGgSO/dv9POs6k1hvgdo2 z7AP11BL4nP0BcqyQMTzFWfOz+1xDEM= -----END EC PRIVATE KEY-----"
}
}
},
as well as in the yaml from View Policy on fleetUI:
id: bfda4972-84bc-40a9-a290-5aa97a5829a1
revision: 1
outputs:
596add4e-78f7-45a4-9e34-50acf71d3773:
type: logstash
hosts:
- '127.0.0.1:4242'
ssl:
certificate: |
-----BEGIN CERTIFICATE-----
MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot
-----END CERTIFICATE-----
certificate_authorities: []
secrets:
ssl:
key:
id: JVzKdo4Bp8p83IV2FruP
default:
type: elasticsearch
hosts:
- 'https://838b90d702eb4f7089f82f90be009619.us-central1.gcp.cloud.es.io:443'
preset: balanced
fleet:
hosts:
- >-
https://d45b956c801e4d8d8ea56ff23661a9ab.fleet.us-central1.gcp.cloud.es.io:443
proxy_url: 'http://127.0.0.1:8888'
ssl:
renegotiation: never
verification_mode: ''
certificate: >-
-----BEGIN CERTIFICATE-----
MIIByjCCAVCgAwIBAgICBnowCgYIKoZIzj0EAwMwKDESMBAGA1UEChMJR2FsbGlm
cmV5MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMjQwMzI1MTc1MTM3WhcNMjQwMzI1
MjA1MTM3WjAoMRIwEAYDVQQKEwlHYWxsaWZyZXkxEjAQBgNVBAMTCWxvY2FsaG9z
dDB2MBAGByqGSM49AgEGBSuBBAAiA2IABK6Hsyp3jLAdvuoExjjyfhd969cyL2s5
KVLp33o/8RD9o/LoZbPrXNTmqrJSFu3s8y8J8TT1Gjv/hGkaBI792/086zqTWG+B
2jbPsA/XUEvic/QFyrJAxPMVZ87P7XEMQ6NNMEswDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATAaBgNVHREEEzARgglsb2NhbGhv
c3SHBH8AAAEwCgYIKoZIzj0EAwMDaAAwZQIxANSbjKUFlN1VmlNSDolkuywi0vtO
b+eWgFVs2IaP7r1h0yrsaHMKOPJDx14b8jtBgwIwW1l77djOSoElO4Q6kUnWJzmh
oPj1DCHkkqnWIWHIy/PtNqdkMCaaVgvD4fhFEnot -----END CERTIFICATE-----
key: >-
-----BEGIN EC PRIVATE KEY-----
MIGkAgEBBDC3lM5k4aqpSK4tn/nI0almgDDt4ifb6zrKg4/2jJWD1GHQwvVG4yhl
AKp/N44rdDKgBwYFK4EEACKhZANiAASuh7Mqd4ywHb7qBMY48n4XfevXMi9rOSlS
6d96P/EQ/aPy6GWz61zU5qqyUhbt7PMvCfE09Ro7/4RpGgSO/dv9POs6k1hvgdo2
z7AP11BL4nP0BcqyQMTzFWfOz+1xDEM= -----END EC PRIVATE KEY-----
Kibana version: 8.13, main
Elasticsearch version: 8.13, main
Server OS version: Elastic Cloud
Browser version: Brave v1.64.109 (Mar 20, 2024)
Browser OS version: Pop!_OS 22.04 LTS
Original install method (e.g. download page, yum, from source, etc.): N/A
Describe the bug: Fleet UI does not format proxy TLS config correctly
Steps to reproduce:
Expected behavior: The TLS config should be correctly formatted as it happens for the ES output and others
Screenshots (if relevant):
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context: