Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

appsignal root CA is not trusted in the debian CA store #17110

Closed
neuronull opened this issue Apr 11, 2023 · 6 comments
Closed

appsignal root CA is not trusted in the debian CA store #17110

neuronull opened this issue Apr 11, 2023 · 6 comments
Assignees
Labels
sink: appsignal Anything `appsignal` sink related

Comments

@neuronull
Copy link
Contributor

neuronull commented Apr 11, 2023

A cert was added recently to the appsignal endpoint

**Monday, April 10, 2023 at 6:00:00 PM**

, and it appears that the root CA is not trusted in the debian CA store.

root@runner:/home/vector# update-ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
root@runner:/home/vector# curl https://appsignal-endpoint.net
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The integration test has temporarily been disabled in CI until this issue is resolved (#17109)

Here are a couple approaches:

  1. Have the root CA that issued this cert be added to the debian store
  2. Incidentally, at this point in the code https://cs.github.com/vectordotdev/vector/blob/a791595b0cfcae36d0c46708a91d5e2813ed38eb/src/sinks/appsignal/mod.rs#L117 , we actually should be passing in user defined TLS settings. So one approach to addressing this issue is to add the TLS settings to the config settings for the sink, use those instead of &None , and pass in the root CA that issued this cert to tls.ca_file as part of the integration tests.

It seems like this might cause problems for other users of AppSignal though, independent of it's impact to the vector int test. So that might influence the decision.

cc @tombruijn , @thijsc . Would you guys be able to take ownership of this?

@neuronull neuronull self-assigned this Apr 11, 2023
@thijsc
Copy link

thijsc commented Apr 11, 2023

We rolled out a reissued certificate today, something might have gone wrong there. We’re looking into this right away and will take ownership.

@thijsc
Copy link

thijsc commented Apr 11, 2023

We made a mistake with this rollout; we've just rolled out an updated configuration. This issue should be fixed now.

@neuronull
Copy link
Contributor Author

Thanks for the quick turnaround on that!

@neuronull
Copy link
Contributor Author

FYI- I opened #17112 , to separately track allowing user defined TLS settings in the sink.

@thijsc
Copy link

thijsc commented Apr 12, 2023

Can we close this one?

@neuronull
Copy link
Contributor Author

Can we close this one?

Ah yes, closing. Thanks again.

@neuronull neuronull added the sink: appsignal Anything `appsignal` sink related label Apr 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
sink: appsignal Anything `appsignal` sink related
Projects
None yet
Development

No branches or pull requests

2 participants