Details
-
Bug
-
Resolution: Won't Fix
-
Blocker
-
None
-
Community Edition, Professional Edition
-
CentOS
Description
OpsGenie have migrated to TLS1.3 and Observium alerting fails with HTTP 426 Upgrade required.
Observium uses "file_get_contents" to submit the request and that doesn't work with TLS 1.3
Attachments
Activity
It seems as support for TLS 1.3 exactly added in php 7.4. See: php #3909
php is up to date:
/opt/observium]# php --version
PHP 7.3.25 (cli) (built: Nov 24 2020 11:10:55) ( NTS )
The result is the same as before:
o Notifying [opsgenie] Ops Genie: {"recipients":"","api_key":"XXXXXXXXXXXXXX"}
REQUESThttps://api.opsgenie.com/v1/json/observiumv2
REQUEST STATUS[FALSE]
REQUEST RUNTIME[0.3594s]
RESPONSE CODE[426 Upgrade Required]
[FALSE]
Could you please share how can I test the same thing as you - REQUESThttps://tls-test-api.opsgenie.com/v1/json/observiumv2 ?
Are you using some stone age php? this works fine.
REQUESThttps://tls-test-api.opsgenie.com/v1/json/observiumv2
REQUEST STATUS[TRUE]
REQUEST RUNTIME[1.2858s]
RESPONSE CODE[200 OK]
Response test success: [requestId] ne []
[OK]
root@dev:/opt/observium# php --version
PHP 7.4.3 (cli) (built: Oct 6 2020 15:47:56) ( NTS )
Here are more comments by OpsGenie:
—announcement—
Action required: Update your cipher suites to be compatible with Opsgenie
On October 20, 2020, Opsgenie will begin to upgrade Transport Layer Security (TLS) configuration and end support for some weaker cipher suites. We're doing this to ensure maintaining the best-in-class security for our customers.
This change will affect all HTTPS traffic to Opsgenie, including:
opsg.in,api.opsgenie.comapi.eu.opsgenie.com*.app.opsgenie.com*.app.eu.opsgenie.com
Which cipher suites will be supported?
Ensure your browser or client supports TLS connections using at least one of the cipher suites below by October 20, 2020, for web browsers and by November 10, 2020, for API connections.
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Will this change affect me?
If the supported cipher list is not compliant with your browser or client, the upcoming change will impact your system. Please make sure to check your web browsers and API connections you're using while connecting to Opsgenie. If there are other connection points you're using to access Opsgenie, make sure to check them as well.
Older versions of browser connections are more likely to be affected by this change. You may check your browser version and compare your compatibility with Wikipedia's chart of TLS support in web browsers.Test your endpoints from https://tls-test-api.opsgenie.com to see if your API connections are affected.
What is the timeline?
You need to upgrade anything that will be affected before October 20, 2020, for web browsers and November 10, 2020, for API connections. Please note that if you're using a restrictive firewall or proxy server settings, you'll also need to allow certain IP address ranges to ensure Opsgenie works as expected. Check IP ranges.
—end of announcement—
Here is the output of one Alert in Observium:
o Notifying [opsgenie] Ops Genie: {"recipients":"","api_key":"XXXXXXXXXXXXXXXXXXXX"}
REQUESThttps://api.opsgenie.com/v1/json/observiumv2
REQUEST STATUS[FALSE]
REQUEST RUNTIME[0.3546s]
RESPONSE CODE[426 Upgrade Required]
[FALSE]
It also needs newer OpenSSL than is included in some distributions.
Reason #2836362738 not to use centos.
Btw, you need to fill in the environment field when opening a ticket for compatibility issues.