Alertmanager forwarder throws x509: certificate signed by unknown authority

[usamaahmadkhan]

Describe the bug I'm trying to forward falco alerts to Alertmanager which is running an SSL proxy sidecar. This sidecar allows to only communicate via HTTPS. A custom CA cert is being generated and used by Alertmanager.

When FalcoSideKick tries to forward alert to Alertmanager it throws the following error:

2020/07/29 08:18:40 [ERROR] : AlertManager - Post "https://alertmanager-main.openshift-monitoring.svc:9092/api/v1/alerts": x509: certificate signed by unknown authority

How to reproduce it Use an Alertmanager with SSL enabled generated via custom CA

Expected behaviour Falco alert reaches the Alertmanager successfully over HTTPS

Screenshots

Environment

• Falco version:

  Falco version: 0.24.0
  Driver version: 85c88952b018fdbce2464222c3303229f5bfcfad

• System info:

  {
  "machine": "x86_64",
  "nodename": "ip-10-0-196-186",
  "release": "4.18.0-193.12.1.el8_2.x86_64",
  "sysname": "Linux",
  "version": "#1 SMP Thu Jul 2 15:48:14 UTC 2020"
  }

• Cloud provider or hardware configuration:
• OS:

• Kernel: Linux ip-10-0-196-186 4.18.0-193.12.1.el8_2.x86_64 #1 SMP Thu Jul 2 15:48:14 UTC 2020 x86_64 GNU/Linux
• Installation method: Openshift/Kubernetes

Additional context

[Issif]

Hi,

Thanks for your issue. I confirm SSL communication with custom cert is not possible yet. I don't have time for working on it right now, but I'll take a look for sure.

[usamaahmadkhan]

@Issif What needs to be done? Maybe I can submit a PR

[Issif]

I think we need to figure out how to make possible to specify custom CA certs, but it should be a global parameter, not only for one output. Feel free to propose something of course, I'll review it for sure.

[usamaahmadkhan]

Different outputs may serve different custom CA certs. so configuring globally might not be a good approach. We can start by adding one for Alertmanager, test it, verify and then add for other outputs

[Issif]

I thought about a global folder with all custom CA. Maybe it's not related to falcosidekick at all, and we just adapt the helm chart for adding the custom CA folder in docker. The base image is an alpine after all.

[usamaahmadkhan]

Yes that would work. So mounting the CA cert via a secret on directory /usr/share/ca-certificates/ca.crt, and running update-ca-certificates should do the trick. Not sure if it will respect the server name field for the certificate.

[Issif]

@usamaahmadkhan can you test on your side? I would like to avoid to create a CA and cert.

[usamaahmadkhan]

ok I will test as soon as I find some free time.

[Issif]

@usamaahmadkhan have you moved forward with your tests?

[Issif]

Without any answer soon, I'll close this issue. Regards.

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[poiana]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

[Issif]

I got no awsner, I'm closing this issue.