[Alerting] email action errors with "self signed certificate"

[pmuellr]

We've seen reports of problems using the email actionType, where the action execution returns a serviceMessage of "self signed certificate".

At least one case was with using the email action with secure: false and no user / password.

Attempting to repro this locally with maildev, I can see the same message.

It seems likely that we may have to use the additional transportConfig of tls.rejectUnauthorized: false for this. When adding that to the action code, you can get a little further sending the email to maildev, but it eventually fails with: Missing credentials for "PLAIN". Although it appears to support running without a user/pass, I couldn't get it to work.

So, changing maildev to use an actual user and pass, and changing the action secrets to add them, the email makes it through.

Here are the changes that were made:

original code:

kibana/x-pack/plugins/actions/server/builtin_action_types/lib/send_email.ts

Lines 59 to 68 in 7039aba

	if (service === JSON_TRANSPORT_SERVICE) {
	transportConfig.jsonTransport = true;
	delete transportConfig.auth;
	} else if (service != null) {
	transportConfig.service = service;
	} else {
	transportConfig.host = host;
	transportConfig.port = port;
	transportConfig.secure = !!secure;
	}

after the transportConfig.secure = !!secure; line, I added:

    if (!transportConfig.secure) {
      transportConfig.tls = {
        rejectUnauthorized: false,
      };
    }

This has the effect that if the action config secure property is false, the tls.rejectUnauthorized nodemailer option is also set to false. Ideally we'd like this as separate config properties of the config, so it can be set independent of secure, but it might be useful to "pair" these nodemailer settings to the secure action config for now.

[elasticmachine]

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

[pmuellr]

Another alternative to using rejectUnauthorized would be to allow a user-specified cert to be used. I have no idea how we might do this for an action config/secret. Perhaps though, as a kibana.yml config setting for the actions plugin.

[mikecote]

Another alternative to using rejectUnauthorized would be to allow a user-specified cert to be used. I have no idea how we might do this for an action config/secret. Perhaps though, as a kibana.yml config setting for the actions plugin.

One possibility would be to have a file upload when creating the connector and we store the string value within secrets. I know canvas stores images within their saved objects so at least we wouldn't be the only ones storing content. Hopefully this doesn't affect encryption performance too much.

[nachogiljaldo]

For the sake of simplicity, I would love if Kibana would really allow for rejectUnauthorized instead of solutions that would require us to add more orchestration for alerts to work (such as leaving a new file somewhere or uploading a file somewhere).