[elastic output] Differences in SSL between 7.9.1 and 7.16.2

rockandska · December 28, 2021, 10:05am

Hi,

Previously, on 7.9.1, I had a configuration like the one bellow for my output :

output {
  elasticsearch {
    hosts => "https://myhost:9200"
    index => "myindex"
    user => "myuser"
    password => "mypassword"
  }
}

myhost use a self signed certificate and the company CA is deployed on all hosts and available in system CA store ( RHE7: /etc/pki/tls/certs/ca-bundle.crt -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem )

Everything worked fine

After upgrading to 7.16.2, I had to add to my configuration :

    ca-cert => "/etc/pki/tls/certs/ca-bundle.crt"

Without adding this parameter, I had an SSL error handshake.
I've seen another fix suggested as adding the CA to Java store but found this kind of fix less clean than having the CA specified in the configuration.

I've checked the elastic output plugin CHANGELOG but didn't see any change who seems related to this behavior.

Any ideas what changed ?
Is it normal to have to specify the system CA store ? I was assuming that this one was lookup by default.

Regards,

Badger · December 28, 2021, 2:29pm

Maybe the jruby-openssl upgrade in 7.15.2?

yaauie · December 28, 2021, 7:39pm

How is Logstash finding Java? My best guess is that we are no longer using the system java (that has your cert store), and are instead using the bundled JDK (which doesn't have your certs loaded into its store).

Logstash has bundled its own Java since Logstash 7.10, preferring the bundled JDK to the java available on your PATH.
In 7.16, we introduced the LS_JAVA_HOME environment variable as the preferred way to tell Logstash to use a Java other than the bundled JDK.
In 7.16, we also deprecated finding Java with JAVA_HOME -- this flag will be ignored in Logstash 8, but has been in use since at least Logstash 5.

rockandska · December 30, 2021, 10:41am

Thanks for the feedback.

Is there no way to let bundle JDK lookup in system CA store ?
It is IMO more convenient than having to inject it in Java Store or specify ca in configuration.

Regards,

yaauie · December 30, 2021, 5:07pm

You can also tell the jvm to load its truststore from a particular place by adding a directive to your config/jvm.properties:

-Djavax.net.ssl.trustStore=/path/to/truststore.jks

From what I read, when this system property is not present, any Java installation will look in its own <JAVA_HOME>/lib/security for the files cacerts or jssecacerts . How is your system truststore being added to your system java?

Note: If you are using keytool to add certs to your Java truststore, it is worth noting that the keytool on your $PATH is for the java that is also on your $PATH, and will by default install the certs into its own Java.

system · January 27, 2022, 5:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.