DEPRECATED: CommonName field on X.509 certificates

Hi, I'm having a problem receiving data from a 7.17.0 filebeat to Logstash.
If I run filebeat -e test config I see a warning
lscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0.

I found at Beats version 7.12.0 | Beats Platform Reference [8.0] | Elastic
deprecatededit
Affecting all Beats

Selecting full in ssl.verification_mode option will not treat CommonName field in x509 certificates as a hostname when Subject Alternative Name is not present from v8.0. Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new major version of Beats.
But I can't find how to fix it.
I share the filebeat and logstash configuration

filebeat

# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
  hosts: ["logstash.com.uy :5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/filebeat/certs/filebeat.com.uy.crt"

  # Client Certificate Key
  ssl.key: "/etc/filebeat/certs/filebeat.com.uy.key"

logstash

input{
 beats {
    port => 5044
    ssl => true
    ssl_key => '/etc/logstash/certs/logstash.com.uy.pkcs8.key'
    ssl_certificate => '/etc/logstash/certs/logstash.com.uy.crt'
    ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
    ssl_verify_mode => "force_peer"
   }
}

I see in logstash-plain.log this log

[DEBUG][logstash.inputs.beats    ][main][0036b6f0025242a84f297e35f6d8a6f1684d62cee6445633e498926c79747ee1] Cannot retrieve remote IP address for beats input - remoteAddress is nil
[2022-02-25T14:09:44,785][DEBUG][org.logstash.beats.BeatsHandler][main][0036b6f0025242a84f297e35f6d8a6f1684d62cee6445633e498926c79747ee1] [local: 0.0.0.0:5044, remote: undefined] Handling exception: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

You need new certificates that have the appropriate SANS attributes set.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.