Self signed certificates

[ventris]

Im unable to bypass the certificate warning in the application when going against an Elasticsearch server with self signed certificates.

./elasticsearch_exporter --elasticsearch_url=https://host1.example.com:9200

 INFO  elasticsearch_exporter > Elasticsearch: ping
 WARN  rustls::conn           > Sending fatal alert BadCertificate
 ERROR elasticsearch_exporter > error sending request for url (https://host1.example.com:9200/): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

The certificate is trusted by the system ca store and I can reach the host with curl without getting the certificate warning.

I cant find anyway to run in insecure mode or point the application towards the CA for verification.

[ernestas-vinted]

Hi unfortunately there is no way to control insecure mode because TLS in configured in a downstream elasticsearch crate https://github.com/elastic/elasticsearch-rs/blob/master/elasticsearch/Cargo.toml#L26

[ernestas-vinted]

Closing because changes have to be made in upstream crate.

[ventris]

I have tested this some more and can confirm that if we switch to native-tls from rustls-tls its possible to use self-signed certs for your elasticsearch cluster.

elasticsearch-exporter-rs with rustls-tls

 INFO  elasticsearch_exporter > Elasticsearch: ping
 WARN  rustls::conn           > Sending fatal alert BadCertificate
 ERROR elasticsearch_exporter > error sending request for url (https://host.example.com:9200/): error trying to connect: invalid peer certificate contents: invalid peer certificate: UnknownIssuer

elasticsearch-exporter-rs with native-tls

 INFO  elasticsearch_exporter > Elasticsearch: ping
 INFO  elasticsearch_exporter::metadata::node_data > Elasticsearch: fetching cluster metadata
 INFO  elasticsearch_exporter::metadata            > Elasticsearch: fetching cluster_name
 INFO  elasticsearch_exporter                      > Listening on http://0.0.0.0:9222
 INFO  elasticsearch_exporter::metrics::_cat::indices > Starting subsystem: cat_indices with poll interval: 15sec lifetime: 180sec
 INFO  elasticsearch_exporter::metrics::_cat::health  > Starting subsystem: cat_health with poll interval: 15sec lifetime: 15sec
 INFO  elasticsearch_exporter::metrics::_nodes::stats > Starting subsystem: nodes_stats with poll interval: 15sec lifetime: 15sec
 INFO  elasticsearch_exporter::metrics::_stats::_all  > Starting subsystem: stats with poll interval: 15sec lifetime: 15sec
 INFO  elasticsearch_exporter::metadata::node_data    > Elasticsearch: fetching cluster metadata

Is there a reason for using rustls-tls in the Cargo.toml file or can we just switch back to native-tls as this is default for the elasticsearch-rs package.

[ernestas-vinted]

Hey, the reason of using rust-tls is because openssl dependencies are not required, binary size is way smaller as well. I would be happy to accept PR that would allow to switch feature flags of SSL flavors.

[ernestas-vinted]

Having problems with releasing the new docker container to the hub, might take some time. In the mean time you can you :latest docker container tag.

[ernestas-vinted]

Will release new version this week.

[ernestas-vinted]

Have reverted the change https://github.com/vinted/elasticsearch-exporter-rs/commit/26ad582c8ef0e406260bf630d3a120098ab360cf because it breaks the build/release due to absence of opessl libraries. Needs reviewing the build process.

[ernestas-vinted]

Good news.

Have switched back to openssl, this required to switch to debian based container as well.

• https://github.com/vinted/elasticsearch-exporter-rs/commit/829cfffa409797dd123692ded2c339828cfb1e30
• https://github.com/vinted/elasticsearch-exporter-rs/commit/9d7b17901ff63a4c4e5b4893b77c55a1ae1b82e1
• https://github.com/vinted/elasticsearch-exporter-rs/commit/b19d51d56f8cda26507c838cc3552cd9c3904974

[ernestas-vinted]

Please use v0.25.0