Sensu-Go TLS and security configuration

jspaleta · August 28, 2019, 7:23pm

i’m rebuilding stuff now following the guide process to make sure everything is good there.

jspaleta · August 28, 2019, 7:43pm

Okay regenerated by certs using the guide process

curl --cacert /usr/local/share/ca-certificates/sensu/ca.pem   --key /etc/sensu/certs/<name-key.pem>   --cert /etc/sensu/certs/<name.pem> https://<hostname>:2380/version

curl --cacert /usr/local/share/ca-certificates/sensu/ca.pem   --key /etc/sensu/certs/<name-key.pem>   --cert /etc/sensu/certs/<name.pem> https://<ip-address>:2380/version

both return:

{"etcdserver":"3.3.13","etcdcluster":"3.3.0"}

alektrawicki · August 28, 2019, 8:21pm

I tried the same on 2380 and it didnt work. Though port 2379 works.

curl --cacert /usr/local/share/ca-certificates/sensu/ca.pem   --key /etc/sensu/certs/certificate-key.pem   --cert /etc/sensu/certs/certificate.pem https://100.100.0.17:2379/version


{"etcdserver":"3.3.13","etcdcluster":"3.3.0"}

Can you post your backend.yml ? Does sensu start ? how does sudo netstat -tulpn look?

jspaleta · August 28, 2019, 8:37pm

example for my sensu-backend-01

#
# store configuration for backend-1/01.sensu-poc.local
##
etcd-advertise-client-urls: "https://X.Y.Z.A:2379"
etcd-listen-client-urls: "https://X.Y.Z.A:2379"

etcd-listen-peer-urls: "https://X.Y.Z.A:2380"
etcd-initial-cluster: "sensu-backend-01=https://X.Y.Z.A:2380,sensu-backend-02=https://X.Y.Z.B:2380,sensu-backend-03=https://X.Y.Z.C:2380"
etcd-initial-advertise-peer-urls: "https://X.YZ.C:2380"
etcd-initial-cluster-state: "new"
etcd-initial-cluster-token: ""
etcd-name: "sensu-backend-01"

##
# etcd peer ssl configuration 
##

etcd-cert-file: "/etc/sensu/certs/sensu-backend-01.pem"
etcd-key-file: "/etc/sensu/certs/sensu-backend-01-key.pem"
etcd-trusted-ca-file: "/usr/local/share/ca-certificates/sensu/ca.pem"
etcd-client-cert-auth: true

etcd-peer-cert-file: "/etc/sensu/certs/sensu-backend-01.pem"
etcd-peer-key-file: "/etc/sensu/certs/sensu-backend-01-key.pem"
etcd-peer-trusted-ca-file: "/usr/local/share/ca-certificates/sensu/ca.pem"
etcd-peer-client-cert-auth: true

netstat -tlpn  on sensu-backend-01
tcp        0      0 X.Y.Z.A:2379      0.0.0.0:*               LISTEN      8461/sensu-backend  
tcp        0      0 X.Y.Z.A:2380      0.0.0.0:*               LISTEN      8461/sensu-backend  
tcp6       0      0 :::8080                 :::*                    LISTEN      8461/sensu-backend  
tcp6       0      0 :::8081                 :::*                    LISTEN      8461/sensu-backend  
tcp6       0      0 :::3000                 :::*                    LISTEN      8461/sensu-backend

I also have my hosts file on each server setup as:

X.Y.Z.A  sensu-backend-01
X.Y.Z.B  sensu-backend-02
X.Y.Z.C sensu-backend-03

sensuctl cluster health --format yaml
- memberid: 5340752581839192275
  name: sensu-backend-01
  err: ""
  healthy: true
- memberid: 11697106482503405677
  name: sensu-backend-03
  err: ""
  healthy: true
- memberid: 12155884136631201745
  name: sensu-backend-02
  err: ""
  healthy: true

alektrawicki · August 28, 2019, 8:52pm

I was missing
etcd-advertise-client-urls:

I have gone through the lines multiple times… Now everything is starting. Thank you for your time!

jspaleta · August 29, 2019, 2:48am

man its always something tiny.

I will say there’s tons of room left to automate the tls self sign steps.

Topic		Replies	Views
Cannot get sensu-go cluster to connect over TLS Sensu Go sensu-go , tls , backend	5	476	February 10, 2023
Sensu Go Backend gets stuck "initializing store" Sensu Go	0	400	December 1, 2019
Sensu backend failed to start etcd Sensu Go	1	859	October 5, 2020
Getting error with Sensu backend Authorization Sensu Go	4	2049	October 4, 2022
Sensu Go 6.4.0 is here! Announcements	0	365	June 28, 2021

Sensu-Go TLS and security configuration

Related topics