Encrypt filebeat to logstash

elk6 · July 28, 2020, 4:44pm

I have a small setup. Filebeat was able to successfully send logs to logstash. I was then asked to encrypt communication between filebeat to logstash.

On logstash I've added to the following to the input{ } block:

ssl_certificate => "/usr/share/elasticsearch/elk.crt"
ssl_key => "/usr/share/elasticsearch/elk.key"

I've copied the elk.crt and elk.key to one of the servers that ship logs with filebeat under /etc/elk/certs, and then, in filebeat.yml, under output.logstash:, I've added the following:

hosts: ["91.239.19.210:5044"] # this line was there before. also not the real ip
ssl.certificate: "/etc/elk/certs/elk.crt"
ssl.key: "/etc/elk/certs/elk.key"

When I start filebeat, I endlessly get the following message:

 2020-07-28T16:36:19.644Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:155  Failed to connect to backoff(async(tcp://91.239.19.210:5044)): x509: cannot validate certificate for 91.239.19.210 because it doesn't contain any IP SANs

I thought that maybe it wanted to have a hostname instead of IP, so I added to /etc/hosts:

  91.239.19.210 elk.com

And in filebeat.yml replace the IP with:

 hosts: ["elk.com:5044"]

Which results this error:

 2020-07-28T16:42:12.174Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:155  Failed to connect to backoff(async(tcp://elk.com:5044)): x509: certificate is not valid for any names, but wanted to match elk.com

I'm sitting on this forever and I can't seem to crack it. Does anyone know what's wrong? I feel like I'm missing something. Thanks ahead.

Badger · July 28, 2020, 5:26pm

OK, that is saying that you cannot use that certificate when you configure hosts as an IP address because the certificate does not have a Subject Alternate Name that contains an IP address.

I wonder if that could be something like this issue. Hard to tell without seeing all the (non-secret) parts of the certificate.

elk6 · July 29, 2020, 2:51pm

Thanks for the response.

the certificate does not have a Subject Alternate Name that contains an IP address.

I didn't really get this part, does it mean it only accepts hostnames, instead of IPs?

Badger · July 29, 2020, 5:04pm

Well the RFCs allow a certificate to be issued in the name of an IP address, but issuing certificate authorities impose strict conditions on these, and not all clients support them. The more common way to use an IP address in TLS is SAN. Subject Alternate Name records allow a certificate to list multiple alternate hostnames and/or IP address that the certificate should also match.

system · August 26, 2020, 5:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
X509: cannot validate certificate for 192.168.129.33 because it doesn't contain any IP SANs Beats filebeat	3	23432	September 16, 2017
Filebeat Cant connect: ERROR x509: cannot validate certificate for x.xx.xx.xxx because it doesn't contain any IP SANs Beats filebeat	12	10777	May 10, 2018
Guide for Generating valid Certs for Logstash / Filebeat SSL Setup Logstash	4	673	May 31, 2017
Filebeat ssl connection error: certificate is valid for x, not x Beats filebeat	1	1010	March 30, 2018
Cannot validate certificate for X.X.X.X because it doesn’t contain any IP SANs Beats	2	4471	July 20, 2018

Encrypt filebeat to logstash

Related topics