Debug Errors while setting up SSL communication between Filebeat and Logstash

Shalvin_Kumar · November 13, 2017, 3:45pm

I am trying a POC for my organisation and have the following setup :

Filebeat on Linux Server
Logstash, ElasticSearch and Kibana on Windows Server 2012

A simple flow of picking up log files from Filebeat to Kibana worked really well. To make it more secure, I had installed x-pack on Kibana, ES and Logstash. After some initial hurdles I was able to make the same connection from Filebeat to Kibana work.

To make things more compatible for Production Environment, I decided to try SSL communication between Filebeat to Logstash.

I've tried a lot of methods and everyone of them failed. Therefore, after searching for hours I found a step-by-step guide (https://github.com/Busindre/How-to-configure-SSL-for-FileBeat-and-Logstash-step-by-step) and I followed it religiously to obtain all certificates (etc.) from openssl (version 1.0)

Note : I've generated all the certificates on Linux server where filebeat was configured. The reason I've done this is because I couldn't generate certificates on Windows Server as I am not sure how it works.

After I was done with generating certificates on Linux Server, I did a file transfer to my local system and then to Windows Server.

Now, I've started my Logstash with following config

input {
  beats {
    port => 5044
    client_inactivity_timeout => 3600
    ssl => true
    ssl_certificate_authorities => ["C:/ELKStack/Final_Cert/ca.crt"]
    ssl_certificate => "C:/ELKStack/Final_Cert/server.crt"
    ssl_key => "C:/ELKStack/Final_Cert/server.key"
    ssl_verify_mode => "none"
  }
}

This worked fine. Now I went back to filebeat which had following config :

output.logstash:
  # The Logstash hosts
   hosts: ["cloud_ip:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
   ssl.certificate_authorities: ["path/ca.crt"]

  # Certificate for SSL client authentication
   ssl.certificate: "path/client.crt"

  # Client Certificate Key
   ssl.key: "path/client.key"
   ssl.supported_protocols: "TLSv1.2"

As I start the filebeat server I get following results :

INFO Harvester started for file: /path*.log
2017/11/13 15:21:18.157222 sync.go:85: ERR Failed to publish events caused by: read tcp XX->XX:5044: read: connection reset by peer
2017/11/13 15:21:18.157263 single.go:91: INFO Error publishing events (retrying): read tcp XX->XX:5044: read: connection reset by peer

At the same time I got this in my logstash cmd :

[2017-11-13T10:21:01,087][INFO ][logstash.inputs.metrics  ] Monitoring License OK
[2017-11-13T10:21:18,050][INFO ][org.logstash.beats.BeatsHandler] Exception: not an SSL/TLS record: 32570000000a3243000006b0785ed458cd72dbc81
18692cde6e729ba50b92d4401fc359162d5ca20b44b47fc114065d7ebb85423a009ce0a9ca10703598cac27c943e494f7ca35954b6a06044548b2b5f4aaecf2452a764ffff7a0
bf9efa0bc330f60c63efe76bf3db054a1213494cf7da94ab259aae99f2c4b4cc7324d274cd194df11c89346f2cf35b49179849b2589aae59b79dcebee3ec3b8da9d372eb8eeb7
46aed7ae727d332339e8b084dd73cb824e2802fe541c45984421ea43cc90e72220f2893399107110a7946d98cd70aa37c36cb509a6eb3d168b6da8e557589b2652ecf2a5e2e30
cb48a2bc761a30e297a0dc02a7eeb61a6ebd6bd92d1b06a3a331c03e7828a447a239ba4099e49072129fb21845baa22c0927df4de702b3394f6300b38cffda6464a1d4cfe2884
649c4594a6c27372d73ce33f93ede258a8c7266ba66abd6ae35cc9b1b9df3df18c65eb263ce1f0db0f95080c862787f7ce61347677de2ce6837da8f754691f0df1ac6d7f91326
bcd5b05a1d6793f0bfe7b6dd884e44f15fff45a7e3384ec3766cdbaedbdd6d4edfb76ddbfba1f32268dac5d90023a49718c349ce2506f826c74c825bf9e98205431ac729be250
2c7e73f632415cd4b293239cc92411f7a00168498a99ed33fbdc369380ec182a3c18f0f090f8b5b73abed7b24310aa5f739269485525096404fc9d79ab53a58f09cc7ab636489
9c430f9c4e53b99525d3d512a10781b6cf62141e5f2cab2e4c8948506ee8dffbd39ffce3cdf9303fd7c72322339e154a437c33ca17d08366bbbb3e485932a50b654add6f95e17
dc75177bcd5a8b5da6db060cc9ee39ca4b3f16c63aa63b79d0ae79eb15ba1631e114939d3ce6c7c9c0a42d3222fde1ca38b50bbe5349441951095b0b2765ab25a7db060c4034c
89c4385ca988943fe16a71ce53e8c17561e746c5a869e1ec4a913501a35c50b9d25aafb75b477107fd90e72252f9b86e6e1f5fd7e35ad186446a1543cee4fc251251ea2e197db
22a49935c8e854752edd67edd69769acf1aede633ad5b0a7a8113410b7bfbf5da86ed77d581f1521e4a29e8792eb5478ae671260589e4304f255da614b5f5fbb21ecf979c05a4
90bccf0fd779f0afa23961c946ff20cbf242a7b2e6b388c71817c463642aac3b51548e946197dafb9845256d7d709bf5418d0fe99808bcf4529ee14417f47e58db17beac99a32
2990a1253966c5f665dcc90c69bd8c72246712275f19c965db395e0512e4394b2bfcea4228d45bcdd0f5b27ea65b0a52a4db8efa67fb5a402d7374ffb311584652492db342f17
0259a4fdf14f0365fab6e94f33147d9c51867169f40b1f3fad6ea7f5cbc6cf5786b1f7bf1dc7cf9360a7b6d37ef6988b96f92168a127dd2db428e6d8c74f3a502320cf245fa86
e48c94af54f809734c3185c1871f0d65c
[2017-11-13T10:21:19,332][INFO ][org.logstash.beats.BeatsHandler] Exception: not an SSL/TLS record: [Deleted]

I am really confused as to how to go ahead right now. It will really helpful if you could help. Thanks

pierhugues · November 13, 2017, 7:32pm

A few questions:

What version of logstash you are running?
What version of Beats you are running?

Can you try to connect with openssl s_client on the logstash server and add the output to this issue?
The command to do this should be similar to the following, you might need to adjust the CAFile path:

openssl s_client -connect cloud_ip:5044 -CAfile path/ca.crt

Make sure you add the Logstash log output too.

Thanks

Shalvin_Kumar · November 14, 2017, 7:12am

Hi @pierhugues. Thanks for helping out.

Logstash version - logstash-5.6.3
Beats Version - filebeat-5.6.3-linux-x86_64

Here is the output after connecting with openssl s_client:

CONNECTED(00000003)
depth=1 C = IN, ST = Mah, L = O, O = CITI, OU = ET, CN = WMM, emailAddress = s@gmail.com
verify return:1
depth=0 C = IN, L = Default City, O = Default Company Ltd, emailAddress = ss\08
verify return:1
139798173898568:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
139798173898568:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
 0 s:/C=IN/L=Default City/O=Default Company Ltd/emailAddress=ss\x08
   i:/C=IN/ST=Mah/L=O/O=CITI/OU=ET/CN=WMM/emailAddress=s@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDPzCCAicCCQDC6YYqDajpcTANBgkqhkiG9w0BAQ0FADBtMQswCQYDVQQGEwJJ
TjEMMAoGA1UECAwDTWFoMQowCAYDVQQHDAFPMQ0wCwYDVQQKDARDSVRJMQswCQYD
VQQLDAJFVDEMMAoGA1UEAwwDV01NMRowGAYJKoZIhvcNAQkBFgtzQGdtYWlsLmNv
bTAeFw0xNzExMTMxNDQ1NDhaFw0yNzExMTExNDQ1NDhaMFYxCzAJBgNVBAYTAklO
MRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFu
eSBMdGQxEjAQBgkqhkiG9w0BCQEWA3NzCDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALXq84Hd/tPFo+SO/y/jjpIVvS223sbwFoDQ9E/X/KWA9lDB5x7m
Q2MVlgewWpE0A/vtwQ2t26XK1mAiC9Fxdxqiw5PygyOaE1OEAb2IHcNF9u5KgRVR
6UnQs5uGDd81+op5e2OI7jXQ1GOjvMEnUAeeMJrk0mz7YyslAgelBwKmXzd7tpU7
zOrd2T/gLTJk9zRyb/H0b/AGO/4Mt/HJLTBmzUF01opC+EHZ0iex9v3Y92U8hwjL
A/56Yf9GASoukD8K28mGEJrffUycIbfjh6SY4BWnozKmeomGYp46EcOAgPtxFf+D
/X+cdKegnqD6SgRRzwvWA+yZkOSsalL115UCAwEAATANBgkqhkiG9w0BAQ0FAAOC
AQEAISgmnY64S7mqwe5l8Qi1crVph5YPkOmT0imXS94qoxz0QMbeZwIJP0lVUzDg
zEM4hOIMEf35pH5vE5IMHevYL/2YWcqTqrXsTXFzwTqC82+71elXFg8LIw7rFqq4
D7LIljHX/ehH7BM3rnuPF2OeM9UfcU5dudpcEtFBbog6VH/f4X1N8CrrPmG897+W
X5ecNBopIDz6ax3xMTCODlUGLoMc4+15WjqHOHPTGb7FLeCN2Fbsh92YDIxLBcup
xYxjzBnccidQGcSW7I8o2OxAAHkidLRLtS3Zcv3j3WQ5F/uyxugjLt95lgh7UJtA
FJ2VQqps8TF5eNynqsuMu8I6Cg==
-----END CERTIFICATE-----
subject=/C=IN/L=Default City/O=Default Company Ltd/emailAddress=ss\x08
issuer=/C=IN/ST=Mah/L=O/O=CITI/OU=ET/CN=WMM/emailAddress=s@gmail.com
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1328 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BCCC081D622AA702ED757D9568648197DB42BCC77214AD4548E191504C072E85
    Session-ID-ctx: 
    Master-Key: C85A12E17CF40B8D319D16588AA8571608E873747B7297B1BF16D4A0CE627556AB9E8BB3E12847F0E1A2A78AD0A2F07A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1510643396
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Logstash output :

[2017-11-14T02:09:55,897][INFO ][org.logstash.beats.BeatsHandler] Exception: javax.net.ssl.SSLHandshakeException: error:100000c0:SSL routines
:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE

I will start looking at the error. Please let me know what you think (and how to sort this out) from your side. Thanks

Shalvin_Kumar · November 14, 2017, 7:38am

I thought there must be some errors while generating certificates (link in the original question) and therefore I went ahead to repeat the process again.

Starting logstash was fine. On starting Filebeat I received following error on Filebeat :

2017/11/14 07:29:59.929852 single.go:140: ERR Connecting error publishing events (retrying): x509: certificate is valid for , not cloud_ip
2017/11/14 07:30:01.210856 single.go:140: ERR Connecting error publishing events (retrying): x509: certificate is valid for , not cloud_ip

And output on Logstash

[2017-11-14T02:29:59,773][INFO ][org.logstash.beats.BeatsHandler] Exception: An existing connection was forcibly closed by the remote host
[2017-11-14T02:30:01,039][INFO ][org.logstash.beats.BeatsHandler] Exception: An existing connection was forcibly closed by the remote host

I ran the openssl command you had asked me earlier which gave following output on terminal

CONNECTED(00000003)
depth=0 C = XX, L = Default City, O = Default Company Ltd, emailAddress = s@gmail.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = XX, L = Default City, O = Default Company Ltd, emailAddress = s@gmail.com
verify return:1
139858884900680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
139858884900680:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
---
Certificate chain
 0 s:/C=XX/L=Default City/O=Default Company Ltd/emailAddress=s@gmail.com
   i:/C=XX/L=Default City/O=Default Company Ltd/emailAddress=s@gmail.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAiACCQDC6YYqDajpcTANBgkqhkiG9w0BAQ0FADBeMQswCQYDVQQGEwJY
WDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMRowGAYJKoZIhvcNAQkBFgtzQGdtYWlsLmNvbTAeFw0xNzExMTQwNzIw
NDdaFw0yNzExMTIwNzIwNDdaMF4xCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZh
dWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQxGjAYBgkqhkiG
9w0BCQEWC3NAZ21haWwuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAsosHpDnt0rMF3k12dKFbLnj8v1zugq7GFncGDNVwxg6yO38q6ikM9NNykHDy
8Q+sqxctQQCbDAceo3gdoKsDYII7RyLw7SysPjeDnv2vvN0v/oPVOXMbdJmkwB+H
yYA2DlWUAsTb6kaMJh/LPNtG8wON8xLp8aPux8NrW76Zg+KJBc5JDiMK3bENbIh9
v++wSqTi7IpOsMXcwQyQyo0OhVtVmmIVErJJYL25WAxaazw/mAqYRyGuwU9wA623
Xqk/PBqdmE+MtyCjdnU04u4CO7poduHSgGbfzDvB8rYNcMlW4XPL7bNwf3UQOPsh
dUyAb7agMD0dUFdNAMcjyORnJwIDAQABMA0GCSqGSIb3DQEBDQUAA4IBAQCGK8b2
04Oqcwxb6A5WyIa5sZjQnC4fS1xDsmjogHtzor74epxm0nDJBv3rbP1s640d7s8I
yAFGwnymqWA3ohy5Jfi6HN+h7uZKMPjedbGldhaW+Vn8dTQ+fxwuhzbgnW4KQ1MT
5BmZuYX+Qs6W7R1yc7Wj3mrDF/iAT1Pb6ZbbNTvdk890uv0fDsUVTQbRyZHkjjZ8
1w7fSsyk1XUcwArDQ/CN1lIjLAffbMPF6fToK3udP4WG8ETOH2AgZRuZ0jQwuBAx
ae4aYFZ5GPjtJPlWUg6X0epHRjFg/tGA/UGKf2r0ERK6NckFOmmj6xpjTgxx2jpV
QMWidx04NsEJ/9US
-----END CERTIFICATE-----
subject=/C=XX/L=Default City/O=Default Company Ltd/emailAddress=s@gmail.com
issuer=/C=XX/L=Default City/O=Default Company Ltd/emailAddress=s@gmail.com
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1321 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 25BCEEE1EE1F2822A39A66E6DB13820FF10667E87D6130132E8FD0D7DF862E2B
    Session-ID-ctx: 
    Master-Key: D29002C23148D7802DC17B5AB54BFDBBC61B41323449E035DFBD27695F175372F0BB71B02A46E9310F577BE0C3A33E48
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1510644551
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

And on logstash :

[2017-11-14T02:29:11,323][INFO ][org.logstash.beats.BeatsHandler] Exception: javax.net.ssl.SSLHandshakeException: error:100000c0:SSL routines
:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE

I am really confused on how to go ahead

pierhugues · November 16, 2017, 8:36pm

I will have to test with the instructions you have linked, I've looked at the configuration and they look OK to me.

I think we should try to fix the server verification first before doing mutual authentification, dropping the
ssl_verify_mode => "none" should rely on the input default which doesn't require client auth. If you redo the openssl comand with that settings it should remove the PEER_DID_NOT_RETURN_A_CERTIFICATE.

The certificates were generated on linux with OpenSSL 1.0, Correct?

In the last command we still see an handshake failure, so this show that we still have a certificate issue.

Can you add the result of the following command to this issue?

openssl x509 -noout -subject -in server.crt

Thanks

Shalvin_Kumar · November 17, 2017, 11:39am

Hi @pierhugues, it was certificate issue.

Its working fine right now. Thanks a ton for helping out

pierhugues · November 17, 2017, 11:57am

Awesome!

system · December 15, 2017, 11:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.