DEPRECATED: CommonName field on X.509 certificates

ariverol · February 25, 2022, 6:35pm

Hi, I'm having a problem receiving data from a 7.17.0 filebeat to Logstash.
If I run filebeat -e test config I see a warning
lscommon/config.go:100 DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0.

I found at Beats version 7.12.0 | Beats Platform Reference [8.0] | Elastic
deprecatededit
Affecting all Beats

Selecting full in ssl.verification_mode option will not treat CommonName field in x509 certificates as a hostname when Subject Alternative Name is not present from v8.0. Please update your certificates so it contains at least one DNSName instead of relying on CommonName in the new major version of Beats.
But I can't find how to fix it.
I share the filebeat and logstash configuration

filebeat

# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
  hosts: ["logstash.com.uy :5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/filebeat/certs/filebeat.com.uy.crt"

  # Client Certificate Key
  ssl.key: "/etc/filebeat/certs/filebeat.com.uy.key"

logstash

input{
 beats {
    port => 5044
    ssl => true
    ssl_key => '/etc/logstash/certs/logstash.com.uy.pkcs8.key'
    ssl_certificate => '/etc/logstash/certs/logstash.com.uy.crt'
    ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
    ssl_verify_mode => "force_peer"
   }
}

I see in logstash-plain.log this log

[DEBUG][logstash.inputs.beats    ][main][0036b6f0025242a84f297e35f6d8a6f1684d62cee6445633e498926c79747ee1] Cannot retrieve remote IP address for beats input - remoteAddress is nil
[2022-02-25T14:09:44,785][DEBUG][org.logstash.beats.BeatsHandler][main][0036b6f0025242a84f297e35f6d8a6f1684d62cee6445633e498926c79747ee1] [local: 0.0.0.0:5044, remote: undefined] Handling exception: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

legoguy1000 · February 27, 2022, 6:38am

You need new certificates that have the appropriate SANS attributes set.

system · March 27, 2022, 8:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed Beats filebeat , metricbeat	3	1573	June 14, 2023
Filebeat ssl connection fail with CERT using Subject Alternative Name Beats filebeat	5	2573	July 5, 2017
[mTLS][filebeat-logstash][beat-input-plugin] Client certificate hostname verification Beats beats-module , filebeat	7	980	October 4, 2021
Logstash beat force_peer authentication doesn't check hostname info Logstash	3	459	May 25, 2020
Creating certificates for filebeat Beats filebeat	5	1973	July 5, 2017

DEPRECATED: CommonName field on X.509 certificates

Related topics