Add diagnostics callback for tlscommon configs and httptransport #207
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michel-laterman
added
enhancement
michel-laterman
changed the title
michel-laterman
force-pushed
the
tlsdiag
branch
2 times, most recently
from
378e0f7
to
54aeb42
Compare
Add diagnostics callbacks for TLS configuration to make it easier to include in diagnostics bundles. Diagnostics info will geneally verify that the certs or cas are able to load, and display some basic info such as cert names, expiry times, fingerprints, etc. httptransport callback will attempt an HTTP request and return information collected from httptrace about the request.
3 tasks
|
Example of the hooks functions and outputs added to a (draft) fleet-server pr: elastic/fleet-server#3587 |
michel-laterman
commented
May 29, 2024
| diagCertificate(logger, &c.Certificate) | ||
| diagCAs(logger, c.CAs) | ||
|
|
||
| return b.Bytes() |
There was a problem hiding this comment.
From the fleet-server demo, output is:
tlscommon.ServerConfig: Start diagnostics 2024-05-29 00:18:41.569890423 +0000 UTC
tlscommon.ServerConfig: verification_mode=full
tlscommon.ServerConfig: client_auth=none
tlscommon.ServerConfig: ca_sha256=[]
tlscommon.ServerConfig: CertificateSettings: checking certificate keypair
tlscommon.ServerConfig: CertificateSettings: certificate keypair OK.
tlscommon.ServerConfig: CertificateSettings: cert 0 - Subject: CN=fleet-server-dev,O=elastic-fleet
Issuer: CN=localhost,O=elastic-fleet
NotBefore: 2024-05-29 00:18:15 +0000 UTC
NotAfter: 2034-05-29 00:18:15 +0000 UTC
Fingerprint: EvAr8erNJZJ0BoXor1jnCl5X2WCU79ISMgwMITOEJBs=
SAN IP: []
SAN DNS: [fleet-server-dev]
tlscommon.ServerConfig: CertificateAuthorities: certificate_authorities provided.
tlscommon.ServerConfig: CertificateAuthorities: - cert 0 Subject: CN=localhost,O=elastic-fleet
IsCa: true
BasicConstraintsValid: true
NotBefore: 2024-05-29 00:18:15 +0000 UTC
NotAfter: 2034-05-29 00:18:15 +0000 UTC
Fingerprint: cSawoNEa2cSPV4Mwce4mRysrcBGtHBGcSeoBL+Cr48Q=
We want to make sure that certificate & ca information is provided in the diagnostics
There was a problem hiding this comment.
Slight update after I added CertDiagString
tlscommon.ServerConfig: Start diagnostics 2024-05-29 22:10:07.333735518 +0000 UTC
tlscommon.ServerConfig: verification_mode=full
tlscommon.ServerConfig: client_auth=none
tlscommon.ServerConfig: ca_sha256=[]
tlscommon.ServerConfig: CertificateSettings: checking certificate keypair
tlscommon.ServerConfig: CertificateSettings: certificate keypair OK.
tlscommon.ServerConfig: CertificateSettings: cert 0 Subject=CN=fleet-server-dev,O=elastic-fleet
Issuer=CN=localhost,O=elastic-fleet
IsCA=false
BasicConstrintsValid=false
NotBefore=2024-05-29 22:08:32 +0000 UTC
NotAfter=2034-05-29 22:08:32 +0000 UTC
Fingerprint=w04CVUAd7Tfnd/AZ/A8YB9bCUAImGeGXBAUPnhEvGgM=
SAN IP=[]
SAN DNS=[fleet-server-dev]
SAN URI=[]
tlscommon.ServerConfig: CertificateAuthorities: certificate_authorities provided.
tlscommon.ServerConfig: CertificateAuthorities: - cert 0 Subject=CN=localhost,O=elastic-fleet
Issuer=CN=localhost,O=elastic-fleet
IsCA=true
BasicConstrintsValid=true
NotBefore=2024-05-29 22:08:23 +0000 UTC
NotAfter=2034-05-29 22:08:23 +0000 UTC
Fingerprint=QHVJrVpzEHBJTTr6F9RW6TnYbj9ckPD2BQ5JphTzh7M=
SAN IP=[]
SAN DNS=[localhost]
SAN URI=[]
This may or may not be helpful, so feel free to disregard. I'd like to see some failure scenarios, paired with the new diagnostics showing how they give the info needed to correctly diagnose the problem. I'm thinking of things like:
|
Add some error parsing to HTTPSettings.DiagRequests to attempt to give a human readable statement about the cause of any errors when gathering request diagnostics.
michel-laterman
commented
May 30, 2024
Comment on lines
+134
to
+136
| // isGoHTTPResp detects if the response is one that a go http.Server sends if an HTTP request is made to an HTTPS server. | ||
| // non Go servers may return a net.OpError instead. | ||
| func isGoHTTPResp(r *http.Response) bool { |
There was a problem hiding this comment.
This behaviour is a part of go servers, and also occurs for our current cloud deplyments
Comment on lines
+147
to
+149
| // diagError tries to diagnose the error and return a cause/possible cause in a human readable format. | ||
| // If no matching errors are found err.Error is returned. | ||
| func diagError(err error) string { |
There was a problem hiding this comment.
@leehinman, I've tried to add this to explain errors based on the scenarios you provided (with test cases for most of them). we can add more in the future as well
belimawr
reviewed
Jun 3, 2024
Co-authored-by: Tiago Queiroz <me@tiago.life>
|
@lucabelluccini is there anything I should add/change to help with your troubleshooting efforts? |
belimawr
approved these changes
Jun 7, 2024
leehinman
approved these changes
Jun 7, 2024
|
Hello, thanks for the heads up on this one and thank you for those efforts into troubleshooting TLS.
Example about (1). So we have:
We will get 3 TLS diags? |
💚 Build Succeeded
History
|
|
|
Lovely - Thank you @michel-laterman & team ❤️ |
michel-laterman
added a commit
to elastic/fleet-server
that referenced
this pull request
Jun 24, 2024
Add custom hooks to use diag hooks added in elastic/elastic-agent-libs#207 to provide additional files that contain information about the TLS certs used by the server's API, TLS infomation used when connecting to elasticsearch, and a full trace to each specified elasticsearch host.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Add diagnostics callbacks for TLS configuration to make it easier to
include in diagnostics bundles. Diagnostics info will geneally verify
that the certs or cas are able to load, and display some basic info such
as cert names, expiry times, fingerprints, etc. httptransport callback
will attempt an HTTP request and return information collected from
httptrace about the request.
Why is it important?
Allows more information about TLS to be present in diagnostics to help troubleshoot any certificate issues.
Checklist