Add support for JKS files to x509_cert plugin

[elizabetht]

Relevant telegraf.conf:

[[inputs.x509_cert]]
  sources = ["/etc/path-to-jks/server.jks"]

System info:

telegraf-1.13.2-1.x86_64 is included in the package

Steps to reproduce:

1. Update the above telegraf config and reload telegraf-client
2. Errors appear in the telegraf-client logs
   E! [inputs.x509_cert] Error in plugin: cannot get SSL cert '/etc/path-to-jks/server.jks': failed to parse certificate PEM

Expected behavior:

x509_cert plugin to parse JKS certificate files

Actual behavior:

Getting errors in the telegraf-client logs

 E! [inputs.x509_cert] Error in plugin: cannot get SSL cert '/etc/corona/server.jks': failed to parse certificate PEM

Additional info:

[elizabetht]

Is JKS file supposed to be supported by this plugin? If not, can it be supported?

[danielnelson]

Unfortunately the plugin does not support JKS format, we only have support for PEM encoded certs. We are interested in adding support for additional formats though, I'll mark this as a feature request.

[elizabetht]

Thanks @danielnelson. Looking forward to this feature getting implemented.

[Nurlan199206]

@elizabetht you can use input.exec plugin with bash scripts.

[gilgameshfreedom]

+1 for this feature. Currently we have to deploy java jetty server which reads and used jks certs and envoy monitors jks certs through jetty (as common pem). But this approach is lightly awkward.

[sspaink]

Looking for a Go solution to parse the JKS format I found this: https://github.com/pavlo-v-chernykh/keystore-go which seems like the most mature solution. Although the problem I am seeing is it doesn't provide an exact match to the existing fields and tags the plugin outputs. I am not too familiar with the JKS format if this is a limitation of the package or the format, curious if anyone interested in this feature could share what fields and tags they would be interested in getting if the plugin could parse JKS?

[telegraf-tiger]

Hello! I am closing this issue due to inactivity. I hope you were able to resolve your problem, if not please try posting this question in our Community Slack or Community Page. Thank you!

[Illutax]

It's odd that you have to work with the jks and doesn't have the certificates laying around. But you might create your own Telegraf plugin consisting of a bash script, which extracts the p12 from the keystore using openssl and then writing the metric.

For reference here is a full tutorial: https://songrgg.github.io/operation/how-to-check-and-monitor-tls-jks-certificates-with-telegraf/