search

grafana / alloy

OpenTelemetry Collector distribution with programmable pipelines
https://grafana.com/oss/alloy
Apache License 2.0
1.47k stars 221 forks source link

windows_certificate_filter doesn't add certificate chain #887

Open jerveree opened 6 months ago

jerveree commented 6 months ago

What's wrong?

When I try to use the windows_certificate_filter block to define the TLS certificate for Grafana Alloy, the certificate is found in windows certificate manager, but the (intermediate) CA isn't added to the certificate chain during TLS handshake

Steps to reproduce

Use an alloy config with windows_certificate_filter block and verify with openssl s_client to check the chain.

System information

Windows Server 2022 AMD64

Software version

Grafana Alloy v1.1.0

Configuration

logging {
    level = "info"
}

http {
    tls {
        client_auth_type = "NoClientCert"
        windows_certificate_filter {
            server {
                system_store = "LocalMachine"
                store = "My"
                template_id = "1.3.6.1.4.1.311.21.8.102447—-"
                refresh_interval = "5m"             
            }
            client {
            }           
        }
    }
}

prometheus.exporter.windows "collectors" {
    enabled_collectors = ["cpu","cs","logical_disk","net","os","service","system"]
}

Logs

No CA, openssl:

---
Certificate chain
 0 s:CN=———
   i:DC=be, DC=UGent, CN=UGent ADCS Enterprise CA 02
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 17 12:45:25 2024 GMT; NotAfter: May 17 12:45:25 2026 GMT
---

And connection fails with a decrypt error. Wireshark:

TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Decrypt Error)
    Content Type: Alert (21)
    Version: TLS 1.2 (0x0303)
    Length: 2
    Alert Message
        Level: Fatal (2)
        Description: Decrypt Error (51)
github-actions[bot] commented 5 months ago

This issue has not had any activity in the past 30 days, so the needs-attention label has been added to it. If the opened issue is a bug, check to see if a newer release fixed your issue. If it is no longer relevant, please feel free to close this issue. The needs-attention label signals to maintainers that something has fallen through the cracks. No action is needed by you; your issue will be kept open and you do not have to respond to this comment. The label will be removed the next time this job runs if there is new activity. Thank you for your contributions!