Airgap Security Artifact Registry - Use CA file for validation

[joshuatmason]

Attempting to use the Configure offline endpoints and air-gapped environments (https://www.elastic.co/guide/en/security/current/offline-endpoint.html).

The self-hosted https server is using a self-signed cert / internal CA. When it attempts to download the new endpoint artifacts, I get:

[elastic_agent.endpoint_security][error] Http.cpp:327 CURL error 60: SSL peer certificate or SSH remote key was not OK [SSL certificate problem: self signed certificate in certificate chain]

Feature request would be the option to point to a CA file or text block for trusted ca cert for validation of self-signed certs, alongside the base_url .

[joshuatmason]

There may also be a bug in relation to this:
When the download fails on the curl to pull the artifact, the Elastic Agent's Policy Response shows as 'Healthy'

Although the download is having issues, the Agent shows as "Healthy". I would think the "Download Global Artifacts" ought to show warning/error to indicate there is an issue to investigate.

[cmacknz]

@nfritts FYI

[intxgo]

Thank you for highlighting this user experience problem. The immediate mitigation for it in custom artifacts setup, which should be mentioned in the guide (https://www.elastic.co/guide/en/security/current/offline-endpoint.html), is to verify your config with test output command.

• Windows: "C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe" test output
• macOS: sudo /Library/Elastic/Endpoint/elastic-endpoint test output
• Linux: sudo /opt/Elastic/Endpoint/elastic-endpoint test output

Elastic Defend reports policy error if artifacts are missing, or user explicitly configured a specific version (https://www.elastic.co/guide/en/security/8.12/artifact-control.html) which failed to download. Otherwise Elastic Defend is using currently cached artifacts, reporting healthy status, assuming it'll download eventual artifacts update at next update interval.

In 8.12 we've added an enhancement to bring some clarity how old are the cached artifacts

https://docs.elastic.co/en/integrations/endpoint

Enhancement View pull request
artifacts manifest update age, snapshot date