Hi,
Not sure whether to post this in the Logstash or X-Pack category, but I guess I'd try this place first.
I am having troubles configuring both the X-Pack Monitoring and X-Pack Centralized Pipeline Management for Logstash with TLS on Centos 7. Version of Logstash and X-Pack are 6.2.1.
My SSL PEM certificate does not have hostname information.
Logstash with Monitoring
The xpack.monitoring settings in my logstash.yml:
....
xpack.monitoring.elasticsearch.url: "https://192.168.115.22:9200"
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: password
xpack.monitoring.elasticsearch.ssl.ca: /etc/logstash/certs/logstash-cert/es/ca/ca.crt
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
....
When I run logstash, I got this error in my log (the error message is at the end of the line):
Error registering plugin {:pipeline_id=>".monitoring-logstash", :plugin=>"#<LogStash::OutputDelegator:0x61f44f16 @namespaced_metric=#<LogStash::Instrument::NamespacedNullMetric:0x5198356f @metric=#<LogStash::Instrument::NullMetric:0x16bc338d @collector=#<LogStash::Instrument::Collector:0x6b39cc7e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x2876a2f0 @store=#<Concurrent::Map:0x00000000000fb0 entries=4 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x38d5d9dc>, @fast_lookup=#<Concurrent::Map:0x00000000000fb4 entries=51 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :\".monitoring-logstash\", :plugins, :outputs, :d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28]>, @metric=#<LogStash::Instrument::NamespacedNullMetric:0x6a7ddab2 @metric=#<LogStash::Instrument::NullMetric:0x16bc338d @collector=#<LogStash::Instrument::Collector:0x6b39cc7e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x2876a2f0 @store=#<Concurrent::Map:0x00000000000fb0 entries=4 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x38d5d9dc>, @fast_lookup=#<Concurrent::Map:0x00000000000fb4 entries=51 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :\".monitoring-logstash\", :plugins, :outputs]>, @out_counter=LogStash::Instrument::NullMetric::NullGauge, @strategy=#<LogStash::OutputDelegatorStrategies::Shared:0x618ca83a @output=<LogStash::Outputs::ElasticSearch hosts=>[https://192.168.115.22:9200], bulk_path=>\"/_xpack/monitoring/_bulk?system_id=logstash&system_api_version=2&interval=1s\", manage_template=>false, document_type=>\"%{[@metadata][document_type]}\", sniffing=>false, user=>\"logstash_system\", password=><password>, ssl=>true, cacert=>\"/etc/logstash/certs/logstash-cert/es/ca/ca.crt\", id=>\"d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28\", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>\"plain_e942aba5-61d1-4aa3-b151-2546bb47551f\", enable_metric=>true, charset=>\"UTF-8\">, workers=>1, template_name=>\"logstash\", template_overwrite=>false, doc_as_upsert=>false, script_type=>\"inline\", script_lang=>\"painless\", script_var_name=>\"event\", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>\"index\", ssl_certificate_verification=>true, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>>, @in_counter=LogStash::Instrument::NullMetric::NullGauge, @id=\"d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28\", @time_metric=LogStash::Instrument::NullMetric::NullGauge, @metric_events=#<LogStash::Instrument::NamespacedNullMetric:0x3b7c2b2e @metric=#<LogStash::Instrument::NullMetric:0x16bc338d @collector=#<LogStash::Instrument::Collector:0x6b39cc7e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x2876a2f0 @store=#<Concurrent::Map:0x00000000000fb0 entries=4 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x38d5d9dc>, @fast_lookup=#<Concurrent::Map:0x00000000000fb4 entries=51 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :\".monitoring-logstash\", :plugins, :outputs, :d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28, :events]>, @output_class=LogStash::Outputs::ElasticSearch>", :error=>"Host name '192.168.115.22' does not match the certificate subject provided by the peer (CN=instance)", :thread=>"#<Thread:0x448b1590@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:246 run>"}
Logstash with Centralized Pipeline Management
The xpack.management settings in my logstash.yml:
....
xpack.management.enabled: true
xpack.management.elasticsearch.url: "https://192.168.115.22:9200"
xpack.management.elasticsearch.username: logstash_admin_user
xpack.management.elasticsearch.password: password
xpack.management.elasticsearch.ssl.ca: /etc/logstash/certs/logstash-cert/es/ca/ca.crt
....
When I run logstash, I got this error in my log:
Unable to retrieve license information from license server {:message=>"Host name '192.168.115.22' does not match the certificate subject provided by the peer (CN=instance)", :class=>"Manticore::UnknownException"}
It seems to me that despite xpack.monitoring.elasticsearch.ssl.verification_mode is set to certificate, Logstash/X-Pack will still do hostname verification for Monitoring.
There is no verification_mode setting for Centralized Pipeline Management.
My PEM certificate does not contain the hostname. Is there a way for Logstash/X-Pack not to do full hostname verification for Monitoring and Centralized Pipeline Management? It is weird that Elasticsearch and Kibana are able to do that, but not Logstash.
Thanks.