Certificate issues lumberjack as output plugin


(Abhinigam) #1

I am using a self signed client certificate and configuring the same in my lumberjack output plugin. However, when my logstash forwarder on the client machines tries to talk to the logstash aggregator I am getting the following error:
"OpenSSL::SSL::SSLError: Socket closed>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:215:in `connect'""


(Magnus Bäck) #2

What's do the Logstash configurations look like (both instances)? Is there anything in the log of the receiving Logstash?


(Abhinigam) #3

Thanks for checking back with me. I added the certificates to the list of accepted CAs using keytool and also
made sure the client certificate contained the IP address of the logstash forwarder which I was using to emit the logstash entries through lumberjack and it worked.

I have a followup question though. We are using this setup in AWS environment and since the IP addresses are
dynamic how do I manage client certificates. It seems lumberjack plugin requires client side certificates. It is not
optional.


(Magnus Bäck) #4

It seems lumberjack plugin requires client side certificates.

No. What gives you that idea?


(Abhinigam) #5

Magnus,
https://www.elastic.co/guide/en/logstash/current/plugins-outputs-lumberjack.html
I saw that "ssl_certificate" is required. Can you please give more insight into what this certificate represents.


(Magnus Bäck) #6

That's the server's certificate, not the client's.


(Abhi Medallia) #7

Magnus,
I just want to make sure I understand. The log stash lumberjack input plugin has a server certificate.
Log stash lumberjack output plugin (the forwarder) also needs to have the exact same server certificate.

Is this right? I thought the output plugin would have the client certificate if we needed bidirectional authentication.


(Magnus Bäck) #8

I just want to make sure I understand. The log stash lumberjack input plugin has a server certificate.
Log stash lumberjack output plugin (the forwarder) also needs to have the exact same server certificate.

Yes. This allows the client to authenticate the server it's connecting to.

I thought the output plugin would have the client certificate if we needed bidirectional authentication.

Bidirectional authentication isn't supported.


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.