xpack.monitoring.elasticsearch.ssl.verification_mode is not honored

[jakelandis]

xpack.monitoring.elasticsearch.ssl.verification_mode is a valid configuration option. According to the source code, "certificate, "none" are the valid options.

However, after closer inspection, it appears that it never gets translated into something useful. XPack monitoring uses the Elasticsearch output under the covers, and should map to https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-ssl_certificate_verification.

We could simply map "certificate" -> true (it is already by default), and "none" -> false.

Also, it appears that xpack management doesn't even expose this option, though it probably should.

[tsouza]

My recommendation is that we use full instead of certificate to match closer to the semantics of verification_mode in Elasticsearch, for instance.

[jakelandis]

My recommendation is that we use full instead of certificate

+1

FWIW, the recommended options for standardization (which we havn't implemented yet) are for these options: "none" , "certificate" , "full"

Where the difference between "certificate" and "full" is validation of the hostname.

Based on the underlying library [1], "full" (not "certificate") is the actual default, and should be renamed as such. I am not sure if we can support the intended definition of "certificate" based on the options provided by the underlying library [1]

[1]
https://github.com/cheald/manticore/blob/master/lib/manticore/client.rb#L607

[tsouza]

I also agree that none, certificate and full would be better to support. My suggestion to full was because, as you also mentioned, that certificate is not currently supported by the underlying library.

[yaauie]

Related issue on the modules side of things: #9734

[mbarretta]

I see this closed in #9866 , but unclear as to the actual implementation: did we get all three options (none, certificate, full) where the middle option (certificate) did CA validation but not hostname?

[willemdh]

Is this issue the reason we get the following warning for the .monitoring-logstash pipeline when logstash restarts?

[2019-04-11T11:50:09,678][INFO ][logstash.pipeline        ] Starting pipeline {:pipeline_id=>".monitoring-logstash", "pipeline.workers"=>1, "pipeline.batch.size"=>2, "pipeline.batch.delay"=>50}
[2019-04-11T11:50:09,701][WARN ][logstash.outputs.elasticsearch] ** WARNING ** Detected UNSAFE options in elasticsearch output configuration!
** WARNING ** You have enabled encryption but DISABLED certificate verification.
** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true

Config:

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.url: ["https://${HOSTNAME}:9200"]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "${LOGSTASH_SYSTEM}"
xpack.monitoring.elasticsearch.ssl.ca: /etc/pki/ca-trust/source/anchors/CA.pem

Tried adding:

xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

But didn't help. I don't find any documentation about usage of 'ssl_certificate_verification' in the 'xpack.monitoring.elasticsearch' part for logstash.yml..

[danlsgiga]

Same issue in 7.5.1

[jsvd]

This will be present in 7.9.1 with #12162