Closed zmoog closed 1 year ago
To set the ssl_assert_fingerprint
option, you must edit the config file stored in the S3 bucket.
Suppose you have a config.yml
file stored in the bucket with the following content:
inputs:
- type: "s3-sqs"
id: "arn:aws:sqs:eu-west-1:<REDACTED>:zmoog-dev-access-logs"
outputs:
- type: "elasticsearch"
args:
api_key: "<REDACTED>"
es_datastream_name: "logs-aws.s3access-default"
batch_max_actions: 500
batch_max_bytes: 10485760
ssl_assert_fingerprint: ""
In this example, the ssl_assert_fingerprint
is blank, the default option. With this value, the ssl_assert_fingerprint
is ignored, and ESF will validate the HTTPS certificate.
The next step is to get the fingerprint of the HTTPS certificate your Elasticsearch cluster is using now.
You can use OpenSSL to get the fingerprint for your certificate. Here's an example using an Elasticsearch cluster hosted on Elastic Cloud:
$ openssl s_client \
-connect my-deployment.es.eastus2.azure.elastic-cloud.com:443 \
-showcerts </dev/null 2>/dev/null | openssl x509 -noout -fingerprint
SHA1 Fingerprint=1C:46:32:75:AA:D6:F1:E2:8E:10:A3:64:44:B1:36:C9:7D:44:35:B4
You can use your DNS name, IP address, and port number instead of my-deployment.es.eastus2.azure.elastic-cloud.com:443
from the above example.
Copy your fingerprint value for the next step.
As a final step, edit your config.yml
file to use the SSL fingerprint:
inputs:
- type: "s3-sqs"
id: "arn:aws:sqs:eu-west-1:<REDACTED>:zmoog-dev-access-logs"
outputs:
- type: "elasticsearch"
args:
api_key: "<REDACTED>"
es_datastream_name: "logs-aws.s3access-default"
batch_max_actions: 500
batch_max_bytes: 10485760
ssl_assert_fingerprint: "1C:46:32:75:AA:D6:F1:E2:8E:10:A3:64:44:B1:36:C9:7D:44:35:B4"
To double-check the mechanism is working, your can modify the fingerprint.
For this test, I am replacing B4
with B0
in the above fingerprint.
With the wrong fingerprint, ESF with log a message like this one:
{
"@timestamp": "2023-08-07T11:12:46.785Z",
"log.level": "warning",
"message": "GET https://my-deployment.es.eastus2.azure.elastic-cloud.com:443/ [status:N/A request:0.233s]",
"ecs": {
"version": "1.6.0"
},
"error": {
"message": "Fingerprints did not match. Expected \"1c463275aad6f1e28e10a36444b136c97d4435b0\", got \"b'1c463275aad6f1e28e10a36444b136c97d4435b4'\".",
"stack_trace": " File \"/var/task/elasticsearch/connection/http_urllib3.py\", line 255, in perform_request\n response = self.pool.urlopen(\n File \"/var/task/elasticapm/instrumentation/packages/base.py\", line 211, in call_if_sampling\n return self.call(module, method, wrapped, instance, args, kwargs)\n File \"/var/task/elasticapm/instrumentation/packages/urllib3.py\", line 132, in call\n response = wrapped(*args, **kwargs)\n File \"/var/task/urllib3/connectionpool.py\", line 787, in urlopen\n retries = retries.increment(\n File \"/var/task/urllib3/util/retry.py\", line 525, in increment\n raise six.reraise(type(error), error, _stacktrace)\n File \"/var/task/urllib3/packages/six.py\", line 770, in reraise\n raise value\n File \"/var/task/urllib3/connectionpool.py\", line 703, in urlopen\n httplib_response = self._make_request(\n File \"/var/task/urllib3/connectionpool.py\", line 386, in _make_request\n self._validate_conn(conn)\n File \"/var/task/urllib3/connectionpool.py\", line 1042, in _validate_conn\n conn.connect()\n File \"/var/task/urllib3/connection.py\", line 450, in connect\n assert_fingerprint(\n File \"/var/task/urllib3/util/ssl_.py\", line 204, in assert_fingerprint\n raise SSLError(\n",
"type": "SSLError"
},
"log": {
"logger": "elasticsearch",
"origin": {
"file": {
"line": 288,
"name": "base.py"
},
"function": "log_request_fail"
},
"original": "GET https://my-deployment.es.eastus2.azure.elastic-cloud.com:443/ [status:N/A request:0.233s]"
},
"process": {
"name": "MainProcess",
"pid": 8,
"thread": {
"id": 140422914877248,
"name": "MainThread"
}
},
"service": {
"name": "forwarder-lambda-ApplicationElasticServerlessForwa-E3uBQcSDRFwm"
},
"span": {
"id": "13370a075b108858"
},
"trace": {
"id": "82f3c38384713b567b01f80c76820d67"
},
"transaction": {
"id": "053c32e093d2d473"
}
}
Closing as completed.
In v1.5.0, the pull request https://github.com/elastic/elastic-serverless-forwarder/pull/173 introduces the SSL fingerprint option to access Elasticsearch clusters using self-signed certificates.
I want to test it and add step-by-step instructions on how to set it up.