Elastic package new profile certificates are not signed by CA

[ofiriro3]

Describe the bug
When creating a new elastic package profile, the Kibana certificates are not signed by a CA.

In-depth
When trying to debug Kibana and run the entire stack locally, the local integration registry cannot be accessed since the Kibana self-signed certificate is not verified by a CA.

Steps to reproduce

1. Create a new elastic-package profile (for example elastic-package profiles create debug_kibana)
2. From the integration local repository Run the entire stack using elastic package elastic-package stack up --version 8.5.0-SNAPSHOT -v -d -p debug_kibana
3. Kill the Kibana docker
4. Run Kibana locally with NODE_EXTRA_CA_CERTS=/Users/<your_user_name>/.elastic-package/profiles/debug_kibana/certs/kibana/ca-cert.pem yarn start --no-base-path
5. Open Kibana and go to the Integration page
6. Integration registry couldn't be accessed due to Error connecting to package registry: request to https://localhost:8080/search?experimental=true&kibana.version=8.5.0 failed, reason: self signed certificate in certificate chain

My Kibana configuration (kibana.dev.yml)

# connect to stack:
elasticsearch.serviceAccountToken: 'AAEAAWVsYXN0aWMva2liYW5hL2VsYXN0aWMtcGFja2FnZS1raWJhbmEtdG9rZW46b2x4b051SWNRa0tYMHdXazdLWmFBdw'
elasticsearch.ssl.certificateAuthorities: "/Users/ofirlapid/.elastic-package/profiles/debug_kibana/certs/kibana/ca-cert.pem"
elasticsearch.hosts: [ "https://localhost:9200" ]
#elasticsearch.ssl.verificationMode: none



xpack.fleet.agents.enabled: true
xpack.fleet.registryUrl: 'https://localhost:8080'
#xpack.fleet.registryUrl: 'https://epr-snapshot.elastic.co'
xpack.fleet.agents.fleet_server.hosts: [ "https://localhost:8220" ]
xpack.encryptedSavedObjects.encryptionKey: '12345678901234567890123456789012'

monitoring.ui.container.elasticsearch.enabled: true

server.ssl.enabled: true
server.ssl.certificate: "/Users/ofirlapid/.elastic-package/profiles/debug_kibana/certs/kibana/cert.pem"
server.ssl.key: "/Users/ofirlapid/.elastic-package/profiles/debug_kibana/certs/kibana/key.pem"
server.ssl.certificateAuthorities: ["/Users/ofirlapid/.elastic-package/profiles/debug_kibana/certs/kibana/ca-cert.pem"]

Workarounds

I find two workarounds to solve it:

1. Verifying the certificates myself.
   a. Go to the location of the certificates (/Users/<your_user_name>/.elastic-package/profiles/debug_kibana/certs/kibana/ca-cert.pem)
   b. Verifying the certificates openssl verify -verbose -x509_strict -CAfile ca-cert.pem cert.pem key.pem

2. When running Kibana you can use the default certificate which is verified.
   So instead of

Run Kibana locally with NODE_EXTRA_CA_CERTS=/Users/<your_user_name>/.elastic-package/profiles/debug_kibana/certs/kibana/ca-cert.pem yarn start --no-base-path

You can run NODE_EXTRA_CA_CERTS=/Users/<your_user_name>/.elastic-package/profiles/**default**/certs/kibana/ca-cert.pem yarn start --no-base-path

My environment
Desktop
OS: MacOS
Browser: Chrome
Kibana Version: main branch
SHA: 875a624179a1191f4219da11aa9740b2f6c15f8b
Elastic-package - v0.60.0, darwin_arm64

Suggested solution

I guess that when creating a new profile, we need to add one more step which verifies the relevant certificates.

[mtojek]

Interesting issue, so far nobody reported that issue. Does the problem occur only when you create a new profile or also for the default one?

cc @jsoriano

[ofiriro3]

Only when I am using a new profile.

The default one is already signed, this why

Run Kibana locally with NODE_EXTRA_CA_CERTS=/Users/<your_user_name>/.elastic-package/profiles/debug_kibana/certs/kibana/ca-cert.pem yarn start --no-base-path

Workaround is working.

[jsoriano]

Hi,

If I run the following commands, they all succeed.

$ elastic-package profiles create debug_kibana
$ elastic-package stack up -v -d -p debug_kibana
$ curl --cacert /home/jaime/.elastic-package/profiles/debug_kibana/certs/ca-cert.pem https://localhost:8080
{
  "service.name": "package-registry",
  "service.version": "1.11.0"
}

So the certificates seem to be fine.

Though I managed to reproduce the issue if I mix profiles by running some elastic-package stack commands with the -p debug_kibana flag and others without it, you may end up in a situation where different services are started with different profiles, and thus with different certificates.

@ofiriro3 can you please check what certificates the package-registry container is using? You can see it by looking which ones it has mounted:

docker inspect -f '{{ .Mounts | json }}' elastic-package-stack-package-registry-1

[ofiriro3]

Hi @jsoriano,

[{"Type":"bind","Source":"/Users/ofirlapid/.elastic-package/profiles/debug_kibana/certs/package-registry","Destination":"/etc/ssl/package-registry","Mode":"rw","RW":true,"Propagation":"rprivate"}]

But I try to reproduce it and I couldn't.
I guess that I built the integration and create a local EPR without my profile.

Nice catch.

I think you can close it - THX

[jsoriano]

I guess that I built the integration and create a local EPR without my profile.

Yeah, this could be a way to end up on this situation.

I am going to close this, but maybe we should do something to help to avoid mixing profiles, I have created a follow up on this #962.

Thanks @ofiriro3 for your report!