search

elastic / synthetics

Synthetic Monitoring with Real Browsers
MIT License
65 stars 39 forks source link

Private certs no longer function on the new Elastic Agent Complete Image for Journeys #717

Open roygabriel opened 1 year ago

roygabriel commented 1 year ago

Issue Description

When private certificates are added to the system certificate store, browser synthetics(journeys) do not use these and SSL certificate errors are present on the journeys, unless HTTPS is turned off(not something most enterprise users want to do).

This is the error users receive in the Kibana Uptime UI ERR_CERT_AUTHORITY_INVALID at https://some-url/

Issue Root Cause

This was not a issue that was present when the Elastic Agent Complete image used CentOs and has been present since the switch to Ubuntu. Browser Synthetics use Playwright with headless Chromium to run the journeys. In Centos headless Chromium will trust the system certificate store and use those private certificates. In Ubuntu that no longer holds true and headless Chromium will only trust the Chromium certificate store for private certificates.

Proposed Solution

Below is the snippet of sanitized code I am using to build the docker image for use on private locations with private certificates. In our privately hosted enterprise environment this solves the noted issue. I'd like to confirm this method is the solution for this, and if so can this be documented so other users can easily find the solution. 

FROM docker.elastic.co/beats/elastic-agent-complete:8.6.2
USER root
# Installing certutils for later use to install private certs in the chromium certificate store
ENV DEBIAN_FRONTEND=noninteractive
RUN apt update && apt install -y libnss3-tools

# Copying private certs from a private artifact registry to the image
WORKDIR /usr/local/share/ca-certificates/
RUN curl -k "https://some-private-artifact-registry/privateCrt1.cer" -o privateCrt1.crt && \
    curl -k "https://some-private-artifact-registry/privateCrt2.cer" -o privateCrt2.crt

# Update-ca-certificates is done so lightweight monitors can use private certificates
RUN chmod 644 /usr/local/share/ca-certificates/*
RUN update-ca-certificates

WORKDIR /usr/share/elastic-agent
USER elastic-agent

# Generating the nssdb Chromium certificate store
RUN mkdir -p /usr/share/elastic-agent/.pki/nssdb && \
    certutil -d /usr/share/elastic-agent/.pki/nssdb -N --empty-password

# Adding private certificates to the Chromium certificate store for use in Journeys
RUN certutil -A -n "privateCrt1" -d /usr/share/elastic-agent/.pki/nssdb -t C,, -a -i /usr/local/share/ca-certificates/privateCrt1.crt && \
    certutil -A -n "privateCrt2" -d /usr/share/elastic-agent/.pki/nssdb -t C,, -a -i /usr/local/share/ca-certificates/privateCrt2.crt

USER root
# Removing certutil as its no longer needed
RUN apt update && apt remove -y libnss3-tools && rm -rf /var/lib/apt/lists/*

USER elastic-agent
pa-jberanek commented 6 months ago

Thanks for this Dockerfile - it did the job very nicely for us, just with an update to the base version. 👍