When private certificates are added to the system certificate store, browser synthetics(journeys) do not use these and SSL certificate errors are present on the journeys, unless HTTPS is turned off(not something most enterprise users want to do).
This is the error users receive in the Kibana Uptime UI
ERR_CERT_AUTHORITY_INVALID at https://some-url/
Issue Root Cause
This was not a issue that was present when the Elastic Agent Complete image used CentOs and has been present since the switch to Ubuntu. Browser Synthetics use Playwright with headless Chromium to run the journeys. In Centos headless Chromium will trust the system certificate store and use those private certificates. In Ubuntu that no longer holds true and headless Chromium will only trust the Chromium certificate store for private certificates.
Proposed Solution
Below is the snippet of sanitized code I am using to build the docker image for use on private locations with private certificates. In our privately hosted enterprise environment this solves the noted issue. I'd like to confirm this method is the solution for this, and if so can this be documented so other users can easily find the solution.
FROM docker.elastic.co/beats/elastic-agent-complete:8.6.2
USER root
# Installing certutils for later use to install private certs in the chromium certificate store
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y libnss3-tools
# Copying private certs from a private artifact registry to the image
WORKDIR /usr/local/share/ca-certificates/
RUN curl -k "https://some-private-artifact-registry/privateCrt1.cer" -o privateCrt1.crt && \
curl -k "https://some-private-artifact-registry/privateCrt2.cer" -o privateCrt2.crt
# Update-ca-certificates is done so lightweight monitors can use private certificates
RUN chmod 644 /usr/local/share/ca-certificates/*
RUN update-ca-certificates
WORKDIR /usr/share/elastic-agent
USER elastic-agent
# Generating the nssdb Chromium certificate store
RUN mkdir -p /usr/share/elastic-agent/.pki/nssdb && \
certutil -d /usr/share/elastic-agent/.pki/nssdb -N --empty-password
# Adding private certificates to the Chromium certificate store for use in Journeys
RUN certutil -A -n "privateCrt1" -d /usr/share/elastic-agent/.pki/nssdb -t C,, -a -i /usr/local/share/ca-certificates/privateCrt1.crt && \
certutil -A -n "privateCrt2" -d /usr/share/elastic-agent/.pki/nssdb -t C,, -a -i /usr/local/share/ca-certificates/privateCrt2.crt
USER root
# Removing certutil as its no longer needed
RUN apt update && apt remove -y libnss3-tools && rm -rf /var/lib/apt/lists/*
USER elastic-agent
Issue Description
When private certificates are added to the system certificate store, browser synthetics(journeys) do not use these and SSL certificate errors are present on the journeys, unless HTTPS is turned off(not something most enterprise users want to do).
This is the error users receive in the Kibana Uptime UI
ERR_CERT_AUTHORITY_INVALID at https://some-url/
Issue Root Cause
This was not a issue that was present when the Elastic Agent Complete image used CentOs and has been present since the switch to Ubuntu. Browser Synthetics use Playwright with headless Chromium to run the journeys. In Centos headless Chromium will trust the system certificate store and use those private certificates. In Ubuntu that no longer holds true and headless Chromium will only trust the Chromium certificate store for private certificates.
Proposed Solution
Below is the snippet of sanitized code I am using to build the docker image for use on private locations with private certificates. In our privately hosted enterprise environment this solves the noted issue. I'd like to confirm this method is the solution for this, and if so can this be documented so other users can easily find the solution.