ELK upgrade to 6.8.23

arun.kumar92 · February 22, 2022, 12:17pm

Hi Team

Currently I'm working on ELK upgrade. When I upgrade lostash from 5.X to 6.8.23.I got below error

------------------------------------------------------------------------------------------------------------------------------
Caused by: java.security.cert.CertificateException: No subject alternative names present
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:156)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:100)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:457)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:431)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
        ... 43 more
[2022-02-22T10:33:36,155][ERROR][logstash.pipeline        ] A plugin had an unrecoverable error. Will restart this plugin.
 
[2022-02-22T10:33:36,343][FATAL][logstash.runner          ] An unexpected error occurred! {:error=>org.apache.kafka.common.errors.SslAuthenticationException: SSL handshake failed, :backtrace=>[]
----------------------------------------------------------------------------------------------

Conf file example
===============================================================
input {
      kafka {
            bootstrap_servers => "xxxxxxxxxx:9093,xxxxxxxxxxxxxx:9093,xxxxxxxxxxxxxxxx:9093"
            client_id => "logstash-uu786v1026"
                        topics => ["test_log"]
                        group_id => "logstash_log"
            consumer_threads => 3
            codec => "json"
            security_protocol => "SSL"
            ssl_truststore_location => "/usr/share/logstash/config/client.truststore.jks"
            ssl_truststore_password => "xxxxxxxxx"
    }
}
=========================================================

Noticed in breaking changes * The ssl option is now obsolete.

Could you please help us how to resolve this issue.

Badger · February 22, 2022, 5:24pm

I believe this is telling you that the certificate of one of the brokers does not match the name you are using to connect to it. If "xxxxxxxxxxxxxxxx" does not match the CN in the certificate, then the client looks for SAN entries. If there are no SAN entries then it throws this exception.

The documentation suggests this is specific to attempts to connect using an IP address, but I am not convinced that is true.

system · March 22, 2022, 5:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.