Configuring Both X-Pack Monitoring and X-Pack Management with TLS for Logstash

Hi,

Not sure whether to post this in the Logstash or X-Pack category, but I guess I'd try this place first.

I am having troubles configuring both the X-Pack Monitoring and X-Pack Centralized Pipeline Management for Logstash with TLS on Centos 7. Version of Logstash and X-Pack are 6.2.1.

My SSL PEM certificate does not have hostname information.

Logstash with Monitoring

The xpack.monitoring settings in my logstash.yml:

....
xpack.monitoring.elasticsearch.url: "https://192.168.115.22:9200"
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: password
xpack.monitoring.elasticsearch.ssl.ca: /etc/logstash/certs/logstash-cert/es/ca/ca.crt
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
....

When I run logstash, I got this error in my log (the error message is at the end of the line):

Error registering plugin {:pipeline_id=>".monitoring-logstash", :plugin=>"#<LogStash::OutputDelegator:0x61f44f16 @namespaced_metric=#<LogStash::Instrument::NamespacedNullMetric:0x5198356f @metric=#<LogStash::Instrument::NullMetric:0x16bc338d @collector=#<LogStash::Instrument::Collector:0x6b39cc7e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x2876a2f0 @store=#<Concurrent::Map:0x00000000000fb0 entries=4 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x38d5d9dc>, @fast_lookup=#<Concurrent::Map:0x00000000000fb4 entries=51 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :\".monitoring-logstash\", :plugins, :outputs, :d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28]>, @metric=#<LogStash::Instrument::NamespacedNullMetric:0x6a7ddab2 @metric=#<LogStash::Instrument::NullMetric:0x16bc338d @collector=#<LogStash::Instrument::Collector:0x6b39cc7e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x2876a2f0 @store=#<Concurrent::Map:0x00000000000fb0 entries=4 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x38d5d9dc>, @fast_lookup=#<Concurrent::Map:0x00000000000fb4 entries=51 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :\".monitoring-logstash\", :plugins, :outputs]>, @out_counter=LogStash::Instrument::NullMetric::NullGauge, @strategy=#<LogStash::OutputDelegatorStrategies::Shared:0x618ca83a @output=<LogStash::Outputs::ElasticSearch hosts=>[https://192.168.115.22:9200], bulk_path=>\"/_xpack/monitoring/_bulk?system_id=logstash&system_api_version=2&interval=1s\", manage_template=>false, document_type=>\"%{[@metadata][document_type]}\", sniffing=>false, user=>\"logstash_system\", password=><password>, ssl=>true, cacert=>\"/etc/logstash/certs/logstash-cert/es/ca/ca.crt\", id=>\"d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28\", enable_metric=>true, codec=><LogStash::Codecs::Plain id=>\"plain_e942aba5-61d1-4aa3-b151-2546bb47551f\", enable_metric=>true, charset=>\"UTF-8\">, workers=>1, template_name=>\"logstash\", template_overwrite=>false, doc_as_upsert=>false, script_type=>\"inline\", script_lang=>\"painless\", script_var_name=>\"event\", scripted_upsert=>false, retry_initial_interval=>2, retry_max_interval=>64, retry_on_conflict=>1, action=>\"index\", ssl_certificate_verification=>true, sniffing_delay=>5, timeout=>60, pool_max=>1000, pool_max_per_route=>100, resurrect_delay=>5, validate_after_inactivity=>10000, http_compression=>false>>, @in_counter=LogStash::Instrument::NullMetric::NullGauge, @id=\"d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28\", @time_metric=LogStash::Instrument::NullMetric::NullGauge, @metric_events=#<LogStash::Instrument::NamespacedNullMetric:0x3b7c2b2e @metric=#<LogStash::Instrument::NullMetric:0x16bc338d @collector=#<LogStash::Instrument::Collector:0x6b39cc7e @agent=nil, @metric_store=#<LogStash::Instrument::MetricStore:0x2876a2f0 @store=#<Concurrent::Map:0x00000000000fb0 entries=4 default_proc=nil>, @structured_lookup_mutex=#<Mutex:0x38d5d9dc>, @fast_lookup=#<Concurrent::Map:0x00000000000fb4 entries=51 default_proc=nil>>>>, @namespace_name=[:stats, :pipelines, :\".monitoring-logstash\", :plugins, :outputs, :d1b6341fc5dbeeffd88505fda73022540f9353480f9aef67e9352cfdeca8cd28, :events]>, @output_class=LogStash::Outputs::ElasticSearch>", :error=>"Host name '192.168.115.22' does not match the certificate subject provided by the peer (CN=instance)", :thread=>"#<Thread:0x448b1590@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:246 run>"}

Logstash with Centralized Pipeline Management

The xpack.management settings in my logstash.yml:

....
xpack.management.enabled: true
xpack.management.elasticsearch.url: "https://192.168.115.22:9200"
xpack.management.elasticsearch.username: logstash_admin_user
xpack.management.elasticsearch.password: password
xpack.management.elasticsearch.ssl.ca: /etc/logstash/certs/logstash-cert/es/ca/ca.crt
....

When I run logstash, I got this error in my log:

Unable to retrieve license information from license server {:message=>"Host name '192.168.115.22' does not match the certificate subject provided by the peer (CN=instance)", :class=>"Manticore::UnknownException"}

It seems to me that despite xpack.monitoring.elasticsearch.ssl.verification_mode is set to certificate, Logstash/X-Pack will still do hostname verification for Monitoring.

There is no verification_mode setting for Centralized Pipeline Management.

My PEM certificate does not contain the hostname. Is there a way for Logstash/X-Pack not to do full hostname verification for Monitoring and Centralized Pipeline Management? It is weird that Elasticsearch and Kibana are able to do that, but not Logstash.

Thanks.

Hi,

As you have discovered, there is not a way to specify trust verification level within the X-Pack Management settings in Logstash. That issue is being investigated.

There is not any reason you should need to degrade the level of verification when creating self-signed certificates. Using the --ip and --dns certutil cert options will place the IP address and DNS hostname in the SAN field of the certificate and allow full certificate verification to succeed.

1 Like

Hi,

Thanks for your reply.

Regards

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.