This input plugin looks perfect for what I need except I need to call https and so must provide certificate information. I found this closed github issue, https://github.com/logstash-plugins/logstash-input-http_poller/issues/2, and I followed the links and read the commits but see nothing about https. I thought about opening another github issue but thought I'd better post here first in case someone has better insight.
Thanks for the link Mark. I'm getting a little further. I'm specifying "truststore", "truststore_password", "client_cert" as myCert.cer, and "client_key" as myKey.key. I'm still getting a "_http_request_failure" though and I'm having trouble determining why.
I'm guessing that being in handle_success is a good thing but I have no idea what the string comparison is about. Any ideas? It should be returning something like ["a","b","c"]. Am I correct in passing in .cer and .key files? Are there any https examples I can look at?
UPDATE: I changed the url I was using to one that returns a json object rather than an array. Now I'm getting a different response: "403 forbidden, unable to authenticate user - no certificate provided". I'm sure my .cer and .key files are there and are valid so I assume I should be passing in something else. A https example would go a long way right now Again, any help greatly appreciated.
UPDATE: I changed the .cer to a .crt file with the start/end certificate string from my pem file. Same result.
I see in the rest service's code though that it expects a request attribute named "javax.servlet.request.X509certificate" for the cert and it apparently isn't finding it. Does this plugin pass my .crt in as that?
p.s. if I'm creating too much noise or doing anything wrong by posting here, please let me know. I'm in a bit of a vacuum here.
Sorry I don't understand. I have the "truststore" set to my truststore.jks and "truststore_password" set to its password. That's for "who I trust". That much is correct, yes? As for "who I am", I've tried not setting "client_cert" and "client_key" and instead setting "cacert" to different formats of my keystore: a .pem, a .cer and a .jks. What should it be set to? Also I see no way to supply the keystore password. Thanks for replying by the way
CraigFoote can you open an issue for providing the keystore_password option? That was an oversight of mine in developing the API. Currently there's no way to provide one.
You can of course use PEM files for now. For "who I am" client_cert / client_key should work. That they aren't is a bug unfortunately. Are you sure the client isn't connecting those values?
Just so I create the ticket right, am I correct in understanding the intent of the 'cacert' option as being the certificate keystore, e.g. 'myCert.jks'? And that normally a password is required so we're missing a 'cacert_password' option?
Sorry I'm being a little dense but I still don't fully understand. Am I correct in setting the 'truststore' and 'truststore_password' options? And, until the 'cacert_password' option is available, to what should I set the 'client_cert' and 'client_key' to exactly? My understanding of a .pem file is that it contains public certificates and optionally private keys, the latter requiring a password. I think I need to supply my private key and somehow its password but I'm new to this stuff and it seems you know how it can work.
Oh I just remembered, I checked the code of the rest service I'm calling and it expects a request attribute called 'javax.servlet.request.X509Certificate'. Do you know if this is being set?
Thanks for responding Andrew. I tried setting the 'cacert' option to my non-password-encoded key.pem file that I created using the link you provided. Unfortunately I'm getting:
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
Do I need to use the truststore and truststore_password options. I did and got a different error: "key usage does not allow key encipherment". I don't know if I'm getting further or if providing the truststore options are causing a different error. As the truststore is "who I trust". it seems to me I shouldn't need to provide it; I should only need to provide "who I am" via the private key, right?
Apologies Craig, I missed that you were using a clientside KEY.
I think I can clear this all up now.
'cacert' lets you set an alternate CA, performing the same role as a truststore. This lets you accept a custom cert from a remote server.
Specifying a custom clientside certificate for x509 auth requires setting 'client_key' to the local key for your client as well as setting 'client_cert' with the signature for that key.
I apologize for the confusion. SSL is generally very confusing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.