Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

elastic-agent elasticsearch CA fingerprint support #29128

Merged
2 changes: 1 addition & 1 deletion libbeat/common/transport/tlscommon/ca_pinning.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ func verifyCAPin(hashes []string, verifiedChains [][]*x509.Certificate) error {

// Fingerprint takes a certificate and create a hash of the DER encoded public key.
func Fingerprint(certificate *x509.Certificate) string {
hash := sha256.Sum256(certificate.RawSubjectPublicKeyInfo)
hash := sha256.Sum256(certificate.Raw)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@simitt, I've tried the change you suggested here and my tests have rejected the certificate

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you be a bit more specific what rejected the certificate means? And did you convert the ES fingerprint from hex to base64 before configuring it?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And since it is self-sigend, you need to also configure the CA with the current libbeat code. I mentioned this in my first comment, as it might be a problem if only the fingerprint is passed down from Fleat.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

both hex and basic should still be accepted right? Can we know if certs are hex or basic in order to avoid convertion when not needed?

return base64.StdEncoding.EncodeToString(hash[:])
}

Expand Down
8 changes: 8 additions & 0 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ func addEnrollFlags(cmd *cobra.Command) {
cmd.Flags().StringP("enrollment-token", "t", "", "Enrollment token to use to enroll Agent into Fleet")
cmd.Flags().StringP("fleet-server-es", "", "", "Start and run a Fleet Server along side this Elastic Agent connecting to the provided elasticsearch")
cmd.Flags().StringP("fleet-server-es-ca", "", "", "Path to certificate authority to use with communicate with elasticsearch")
cmd.Flags().StringP("fleet-server-es-ca-sha256", "x", "", "Elasticsearch certificate authority's SHA256 fingerprint")
cmd.Flags().BoolP("fleet-server-es-insecure", "", false, "Disables validation of certificates")
cmd.Flags().StringP("fleet-server-service-token", "", "", "Service token to use for communication with elasticsearch")
cmd.Flags().StringP("fleet-server-policy", "", "", "Start and run a Fleet Server on this specific policy")
Expand Down Expand Up @@ -103,6 +104,7 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
}
fServer, _ := cmd.Flags().GetString("fleet-server-es")
fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
fElasticSearchCASHA256, _ := cmd.Flags().GetString("fleet-server-es-ca-sha256")
fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
fPolicy, _ := cmd.Flags().GetString("fleet-server-policy")
Expand Down Expand Up @@ -140,6 +142,10 @@ func buildEnrollmentFlags(cmd *cobra.Command, url string, token string) []string
args = append(args, "--fleet-server-es-ca")
args = append(args, fElasticSearchCA)
}
if fElasticSearchCASHA256 != "" {
args = append(args, "--fleet-server-es-ca-sha256")
args = append(args, fElasticSearchCASHA256)
}
if fServiceToken != "" {
args = append(args, "--fleet-server-service-token")
args = append(args, fServiceToken)
Expand Down Expand Up @@ -285,6 +291,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
enrollmentToken, _ := cmd.Flags().GetString("enrollment-token")
fServer, _ := cmd.Flags().GetString("fleet-server-es")
fElasticSearchCA, _ := cmd.Flags().GetString("fleet-server-es-ca")
fElasticSearchCASHA256, _ := cmd.Flags().GetString("fleet-server-es-ca-sha256")
fElasticSearchInsecure, _ := cmd.Flags().GetBool("fleet-server-es-insecure")
fHeaders, _ := cmd.Flags().GetStringSlice("header")
fServiceToken, _ := cmd.Flags().GetString("fleet-server-service-token")
Expand Down Expand Up @@ -326,6 +333,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command, args []string) error {
FleetServer: enrollCmdFleetServerOption{
ConnStr: fServer,
ElasticsearchCA: fElasticSearchCA,
ElasticsearchCASHA256: fElasticSearchCASHA256,
ElasticsearchInsecure: fElasticSearchInsecure,
ServiceToken: fServiceToken,
PolicyID: fPolicy,
Expand Down
17 changes: 14 additions & 3 deletions x-pack/elastic-agent/pkg/agent/cmd/enroll_cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ type enrollCmd struct {
type enrollCmdFleetServerOption struct {
ConnStr string
ElasticsearchCA string
ElasticsearchCASHA256 string
ElasticsearchInsecure bool
ServiceToken string
PolicyID string
Expand Down Expand Up @@ -110,6 +111,7 @@ type enrollCmdOption struct {
FleetServer enrollCmdFleetServerOption `yaml:"-"`
}

// remoteConfig returns the configuration used to connect the agent to a fleet process.
func (e *enrollCmdOption) remoteConfig() (remote.Config, error) {
cfg, err := remote.NewConfigFromURL(e.URL)
if err != nil {
Expand Down Expand Up @@ -311,7 +313,7 @@ func (c *enrollCmd) fleetServerBootstrap(ctx context.Context, persistentConfig m
c.options.FleetServer.ConnStr, c.options.FleetServer.ServiceToken,
c.options.FleetServer.PolicyID,
c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort,
c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA,
c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256,
c.options.FleetServer.Headers,
c.options.ProxyURL,
c.options.ProxyDisabled,
Expand Down Expand Up @@ -517,7 +519,7 @@ func (c *enrollCmd) enroll(ctx context.Context, persistentConfig map[string]inte
c.options.FleetServer.ConnStr, c.options.FleetServer.ServiceToken,
c.options.FleetServer.PolicyID,
c.options.FleetServer.Host, c.options.FleetServer.Port, c.options.FleetServer.InternalPort,
c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA,
c.options.FleetServer.Cert, c.options.FleetServer.CertKey, c.options.FleetServer.ElasticsearchCA, c.options.FleetServer.ElasticsearchCASHA256,
c.options.FleetServer.Headers,
c.options.ProxyURL, c.options.ProxyDisabled, c.options.ProxyHeaders,
c.options.FleetServer.ElasticsearchInsecure,
Expand Down Expand Up @@ -853,7 +855,7 @@ func storeAgentInfo(s saver, reader io.Reader) error {
func createFleetServerBootstrapConfig(
connStr, serviceToken, policyID, host string,
port uint16, internalPort uint16,
cert, key, esCA string,
cert, key, esCA, esCASHA256 string,
headers map[string]string,
proxyURL string,
proxyDisabled bool,
Expand All @@ -875,6 +877,15 @@ func createFleetServerBootstrapConfig(
es.TLS.CAs = []string{esCA}
}
}
if esCASHA256 != "" {
if es.TLS == nil {
es.TLS = &tlscommon.Config{
CASha256: []string{esCASHA256},
}
} else {
es.TLS.CASha256 = []string{esCASHA256}
}
}
if host == "" {
host = defaultFleetServerHost
}
Expand Down