[aws] Regenerate expired AWS Config system test certificate

[andrewkroh]

Proposed commit message

The self-signed certificate used by the AWS Config data stream's system
test docker service expired on 2026-05-06, causing the system test to
fail when the stream container's TLS listener presented an expired cert.

Regenerated the cert against the existing private key with the same
subject (CN=config.xxxx.amazonaws.com) and a 50-year validity period
(now valid through 2076-04-28). Test-only change; not user-facing, so
no changelog entry.

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file. ~ Not applicable — _dev/ test fixtures are not shipped to users, so this change is not user-facing. Matches precedent set by ebf0f70.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

• Certificate modulus matches the existing private.key (verified via openssl rsa -modulus | md5).
• Subject and issuer match the previous self-signed cert so docker-compose / system test config does not need to change.

How to test this PR locally

cd packages/aws
elastic-package test system --data-streams config -v

Or inspect the new cert directly:

openssl x509 -in packages/aws/data_stream/config/_dev/deploy/docker/files/certificate.crt \
  -noout -dates -subject -issuer

Expected:

notBefore=May 11 22:31:26 2026 GMT
notAfter=Apr 28 22:31:26 2076 GMT
subject=C=US, ST=California, L=San Francisco, O=My Company, OU=My Unit, CN=config.xxxx.amazonaws.com
issuer=C=US, ST=California, L=San Francisco, O=My Company, OU=My Unit, CN=config.xxxx.amazonaws.com

Related

• Handle self-signed certs expiration in package tests #18881 (more comprehensive fix, might take longer to merge)
• Adds performance saving recommendations to Cloudtrail docs #18887 (unblocks)
• [Enhancement] Set event.kind to alert for AWS GuardDuty findings #18895 (unblocks)
• aws/vpcflow: surface unsupported flow log formats as pipeline errors #18899 (unblocks)

[github-actions]

TL;DR

Check integrations aws failed because the AWS Config system-test TLS certificate in the fixture is expired (notAfter=May 6 2026), so the stream’s HTTPS endpoint presents an invalid cert during tests. Regenerate/replace that fixture cert and rerun the Buildkite job.

Remediation

• Replace packages/aws/data_stream/config/_dev/deploy/docker/files/certificate.crt with a valid certificate for CN=config.xxxx.amazonaws.com (or regenerate with a new validity window, as in commit 02ad73287213cb706793bea7904e6f8119c707a5).
• Rerun Check integrations aws (or locally: .buildkite/scripts/test_one_package.sh packages/aws origin/main 02ad73287213cb706793bea7904e6f8119c707a5) to confirm the system test now passes.

Investigation details

Root Cause

The AWS package’s system-test docker fixture cert is expired in the repository state used by CI:

• packages/aws/data_stream/config/_dev/deploy/docker/files/certificate.crt
• openssl x509 -noout -dates shows notAfter=May 6 06:27:43 2026 GMT.

Given this build ran on 2026-05-12, TLS validation against that fixture cert is expected to fail.

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/42681
• Job/step: Check integrations aws
• Key log excerpt:
  • --- [aws] failed
  • Error: The command exited with status 1
• Related commit context: 02ad73287213cb706793bea7904e6f8119c707a5 updates only packages/aws/data_stream/config/_dev/deploy/docker/files/certificate.crt with message indicating expired AWS Config system-test cert regeneration.

Verification

• Local certificate metadata check performed via OpenSSL on packages/aws/data_stream/config/_dev/deploy/docker/files/certificate.crt.
• Full failing test stack trace was not present in the provided /tmp/gh-aw/buildkite-logs/integrations-check-integrations-aws.txt excerpt.

Follow-up

If this build used the regenerated cert already, fetch the full aws-system JUnit/XML artifact to confirm whether there is a second TLS fixture or another test path still referencing an expired cert.

Note

🔒 Integrity filter blocked 6 items

The following items were blocked because they don't meet the GitHub integrity level.

• [aws] Regenerate expired AWS Config system test certificate #18950 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• #18950 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 02ad732 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 22fb884 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• b7dcfe9 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• 9e43b20 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elastic-vault-github-plugin-prod]

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: cbd9aa6

History

• 💔 Build #42681 failed 02ad732

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)