Cannot verify signature: insecure algorithm MD5-RSA"

openssl genrsa -out cakey.pem 2048
openssl req -x509 -new -nodes -key cakey.pem -sha256 -days 3650 -out cacert.pem
openssl req -newkey rsa:2048 -keyout server.key -nodes -config openssl.cnf -out server.csr
openssl ca -config openssl.cnf -keyfile cakey.pem -cert cacert.pem -outdir . -out server.crt -infiles server.csr
openssl req -newkey rsa:2048 -keyout client.key -nodes -config openssl.cnf -out client.csr
openssl ca -config openssl.cnf -keyfile cakey.pem -cert cacert.pem -outdir . -out client.crt -infiles client.csr.

I am following above steps to create cakey.pem, cacert.pem files and server,client key,cert pairs.
Following is my logstash config

 input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/sc/old/logstash-2.3.2/cacert.pem"]
    ssl_certificate => "/sc/old/logstash-2.3.2/server.crt"
    ssl_key => "/sc/old/logstash-2.3.2/server.key"
    ssl_verify_mode => "force_peer"
  }
}

output {
    stdout { }
}

Following is my filebeat.yml file

filebeat:
  prospectors:
    -
      paths:
        - /sc/log/info.log
      fields:
        hostip: "10.10.35.180"
        cloudname: "cloud.net"
      document_type: info_Etc/GMT+0

output:
  logstash:
    hosts: ["ls1.analytics.net:5044"]
    tls:
      certificate_authorities: ["/sc/filebeat/cacert.pem"]
      certificate: "/sc/filebeat/client.crt"
      certificate_key: "/sc/filebeat/client.key"

logging:
  to_syslog: false
  to_files: true

  files:
    path: /sc/log
    name: filebeat.log
    rotateeverybytes: 10485760
    keepfiles: 7
    level: debug

When i try to run filebeat, I am facing with the error :

ERR SSL client failed to connect with: x509: certificate signed by unknown authority (possibly because of "x509: cannot verify signature: insecure algorithm MD5-RSA" while trying to verify candidate authority certificate

I didnt mentioned that particular algorithm anywhere. I dont know how is it picking, Is there a way to modify this or get filebeat work with ssl with someother algorithm.

It looks like you didn't specify a signature algorithm when creating your certs. Can you see what "Signature Algorithm" was used in your certificates by running openssl x509 -in <certificate-file> -noout -text on each cert.

Probably the default used by openssl was MD5-RSA (aka md5WithRsa). md5WithRsa shouldn't be used and Go is rejecting the cert. https://www.kb.cert.org/vuls/id/836068 You can configure the signature algorithm in your openssl.cnf.

Yes, i configured signature algorithm to sha1 in openssl.cnf and rerun the whole setup, now filebeat is ending up with transport.go:125: ERR SSL client failed to connect with: EOF error

Any chance you have wireshark or tshark that you can use to sniff the TLS handshake on tcp port 5044? That might help show some additional errors in the handshake or connection.

Otherwise I would check in the Logstash logs.

Another test you can perform is using curl from the Filebeat host. Run curl -v --cacert ca.crt --cert client.crt --key client.key https://logstash:5044. See if it is able to connect properly. https://www.elastic.co/guide/en/beats/filebeat/5.0/configuring-ssl-logstash.html#testing-ssl-logstash

yes its a certificate signature mismatch issue, I figured it out. Now its working good, Thanks for quick response andrew.

This topic was automatically closed after 21 days. New replies are no longer allowed.