diff options
author | thiagoftsm <thiagoftsm@gmail.com> | 2019-07-29 12:27:32 +0000 |
---|---|---|
committer | Paul Emm. Katsoulakis <34388743+paulkatsoulakis@users.noreply.github.com> | 2019-07-29 15:27:32 +0300 |
commit | 551617bd322e2b855ccf19375650348fda77938a (patch) | |
tree | e329b8e38550c634181332ca3f882bc52c082cbf /streaming | |
parent | 7d0250e3afc48b16fd01de36ced2b76d64201adc (diff) |
Add configurable default locations for trusted CA certificates (#6549)
* sslcertificate: Trust certificate
The netdata could not allow invalid certificate or certificate with invalid chain
this commit fixes this!
* sslcertificate: Changing name
We are binging the same names used by the OpenSSL library to simplify the understand of the parameters
* sslcertificate: Name changes and explicity directory
This commit fix the problem with Streams and rename correctly the files in the option, it also uses stat to define the existence of a file
* sslcertificate: Documentation
Fix grammar for the newest section in the documentation
* sslcertificate: Rename variables
The old variables did not represent well what they are doing, so it was renamed
Diffstat (limited to 'streaming')
-rw-r--r-- | streaming/README.md | 47 | ||||
-rw-r--r-- | streaming/rrdpush.c | 9 | ||||
-rw-r--r-- | streaming/stream.conf | 16 |
3 files changed, 71 insertions, 1 deletions
diff --git a/streaming/README.md b/streaming/README.md index ca3edeaecf..1bfbb23626 100644 --- a/streaming/README.md +++ b/streaming/README.md @@ -236,6 +236,53 @@ When TLS/SSL is enabled on the slave, the default behavior will be to not connec ssl skip certificate verification = yes ``` +#### Trusted certificate + +If you've enabled [certificate verification](#certificate-verification), you might see errors from the OpenSSL library when there's a problem with checking the certificate chain (`X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY`). More importantly, OpenSSL will reject self-signed certificates. + +Given these known issues, you have two options. If you trust your certificate, you can set the options `CApath` and `CAfile` to inform Netdata where your certificates, and the certificate trusted file, are stored. + +For more details about these options, you can read about [verify locations](https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_load_verify_locations.html). + +Before you changed your streaming configuration, you need to copy your trusted certificate to your slave system and add the certificate to OpenSSL's list. + +On most Linux distributions, the `update-ca-certificates` command searches inside the `/usr/share/ca-certificates` directory for certificates. You should double-check by reading the `update-ca-certificate` manual (`man update-ca-certificate`), and then change the directory in the below commands if needed. + +If you have `sudo` configured on your slave system, you can use that to run the following commands. If not, you'll have to log in as `root` to complete them. + +``` +# mkdir /usr/share/ca-certificates/netdata +# cp master_cert.pem /usr/share/ca-certificates/netdata/master_cert.crt +# chown -R netdata.netdata /usr/share/ca-certificates/netdata/ +``` + +First, you create a new directory to store your certificates for Netdata. Next, you need to change the extension on your certificate from `.pem` to `.crt` so it's compatible with `update-ca-certificate`. Finally, you need to change permissions so the user that runs Netdata can access the directory where you copied in your certificate. + +Next, edit the file `/etc/ca-certificates.conf` and add the following line: + +``` +netdata/master_cert.crt +``` + +Now you update the list of certificates running the following, again either as `sudo` or `root`: + +``` +# update-ca-certificates +``` + +!!! note + Some Linux distributions have different methods of updating the certificate list. For more details, please read this guide on [addding trusted root certificates](https://github.com/Busindre/How-to-Add-trusted-root-certificates). + +Once you update your certificate list, you can set the stream parameters for Netdata to trust the master certificate. Open `stream.conf` for editing and change the following lines: + +``` +[stream] + CApath = /etc/ssl/certs/ + CAfile = /etc/ssl/certs/master_cert.pem +``` + +With this configuration, the `CApath` option tells Netdata to search for trusted certificates inside `/etc/ssl/certs`. The `CAfile` option specifies the Netdata master certificate is located at `/etc/ssl/certs/master_cert.pem`. With this configuration, you can skip using the system's entire list of certificates and use Netdata's master certificate instead. + #### Expected behaviors With the introduction of TLS/SSL, the master-slave communication behaves as shown in the table below, depending on the following configurations: diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c index c798cd1b19..59913c24b5 100644 --- a/streaming/rrdpush.c +++ b/streaming/rrdpush.c @@ -50,6 +50,8 @@ char *default_rrdpush_api_key = NULL; char *default_rrdpush_send_charts_matching = NULL; #ifdef ENABLE_HTTPS int netdata_use_ssl_on_stream = NETDATA_SSL_OPTIONAL; +char *netdata_ssl_ca_path = NULL; +char *netdata_ssl_ca_file = NULL; #endif static void load_stream_conf() { @@ -92,13 +94,17 @@ int rrdpush_init() { } } } + char *invalid_certificate = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "ssl skip certificate verification", "no"); if ( !strcmp(invalid_certificate,"yes")){ if (netdata_validate_server == NETDATA_SSL_VALID_CERTIFICATE){ - info("The Netdata is configured to accept invalid certificate."); + info("Netdata is configured to accept invalid SSL certificate."); netdata_validate_server = NETDATA_SSL_INVALID_CERTIFICATE; } } + + netdata_ssl_ca_path = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CApath", "/etc/ssl/certs/"); + netdata_ssl_ca_file = appconfig_get(&stream_config, CONFIG_SECTION_STREAM, "CAfile", "/etc/ssl/certs/certs.pem"); #endif return default_rrdpush_enabled; @@ -655,6 +661,7 @@ void *rrdpush_sender_thread(void *ptr) { #ifdef ENABLE_HTTPS if (netdata_use_ssl_on_stream & NETDATA_SSL_FORCE ){ security_start_ssl(NETDATA_SSL_CONTEXT_STREAMING); + security_location_for_context(netdata_client_ctx, netdata_ssl_ca_file, netdata_ssl_ca_path); } #endif diff --git a/streaming/stream.conf b/streaming/stream.conf index 0d360cc24f..fdff1f25fc 100644 --- a/streaming/stream.conf +++ b/streaming/stream.conf @@ -41,6 +41,22 @@ # #ssl skip certificate verification = yes + # Certificate Authority Path + # + # OpenSSL has a default directory where the known certificates are stored, + # case it is necessary it is possible to change this rule using the variable + # "CApath" + # + #CApath = /etc/ssl/certs/ + + # Certificate Authority file + # + # When the Netdata master has certificate, that is not recognized as valid, + # we can add this certificate in the list of known certificates in CApath + # and give for Netdata as argument. + # + #CAfile = /etc/ssl/certs/cert.pem + # The API_KEY to use (as the sender) api key = |