Error unable to find valid certification path

rschirin · March 2, 2018, 6:13pm

Hi,
I'm trying to configure TLS between Logstash and Elastic.
Currently I have configured (correctly, it seems), TLS on my cluster (3 nodes) and I can access to it using Kibana.
In my Logstash (installed in localhost on each servers) I'm using elasticsearch output filter but when I start it I get only the error:

[2018-03-02T18:59:24,125][WARN ][logstash.licensechecker.licensereader] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
[2018-03-02T18:59:25,400][INFO ][logstash.pipeline        ] Pipeline has terminated {:pipeline_id=>"main", :thread=>"#<Thread:0xae84822@/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:246

while on elasticsearch logs I get:

[2018-03-02T18:59:24,124][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elk1] http client did not trust this server's certificate, closing connection [id: 0x3612b68c, L:0.0.0.0/0.0.0.0:9200 ! R:/127.0.0.1:47433]

here you can find a piece of my logstash.conf

elasticsearch {
                        hosts => ["https://localhost:9200/"]
                        user => "elastic"
                        password => "changeme"
                        index => "roger-%{+YYYY.MM.dd}"
                        template_name => "roger-*"
                        template => "/etc/logstash/templates/roger-template-es5x.json"
                        cacert => "/etc/logstash/certs/caC.cer"
                        ssl => true
                        ssl_certificate_verification => false
                }

can you help me?
I know that ssl should not be mandatory since I specify https in hosts key and I know also that should not be used ssl_certificate_verification.

thanks in advance

rschirin · March 7, 2018, 1:10pm

just an update.
I have fixed it adding the CA to Java keystore.
here the used commands:

echo -n | openssl s_client -connect localhost:9200 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./ca_logstash.cer
keytool -import -alias saelk -file ca_logstash.cer -keystore /usr/lib/jvm/jre-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/lib/security/cacerts

Sa_Jain · March 8, 2018, 9:41am

Hi Roger,
I am facing a similar problem, can you help pls

I have used Search guard, generated the demo certificates.
when i use the root-ca.pem that search guard has generated in Logstash.
It does not work

My logstash and elastic are on different servers

output {
elasticsearch {
hosts => "10.16.11.172:9200"
user => "admin"
password => "admin"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/root-ca.pem"
template_name => "ocean-logs-*"
index => "%{index_name}-%{+YYYY.MM.dd}"
}
}

rschirin · March 9, 2018, 5:34pm

I'm not sure if we can talk about Search Guard here. anyway, on another cluster I have used it.
taking a look to your output section, you should have

hosts => ["https://10.16.11.172:9200"]

system · April 6, 2018, 5:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

hallaoui · September 3, 2020, 8:39am

Hi Roger,

I faced same issue using below config then I fixed it following what you shared in the previous post.

Config:
  elasticsearch {
    hosts => ["https://45cd934da9d443b187c79007c5bcb586.10.30.30.204.ip.es.io:9243"]
    index => "cars"
    user => "elastic"
    password => "05b7jz5qldMlRX5tUAQnV8ff"
    document_type => "used_car_for_sell"
  }

Error:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Fix:
# echo -n | openssl s_client -connect 45cd934da9d443b187c79007c5bcb586.10.30.30.204.ip.es.io:9243 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ./ca_logstash.cer
# sudo keytool -import -alias saelk -file ca_logstash.cer -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.262.b10-0.el8_2.x86_64/jre/lib/security/cacerts

Thanks for your support.

Hamid

TheSumitBanik · June 9, 2021, 11:43am

Where should I use the commands for openssl and keytool?

Bilanda · June 9, 2021, 12:48pm

On the server runing logstash. Replace localhost:9200 by your_ip_server:9200 (or DNS_name:9200) if elasticsearch is not running on the same server than your logstash.

TheSumitBanik · June 9, 2021, 1:50pm

Thanks! I have executed the commands but my question is what value to fill in cacert in .conf file? (what should be the path)

Bilanda · June 9, 2021, 2:09pm

If you register Elasticsearch's root certificate in Logstash keystore, then you don't need to add a cacert in your logstash conf file. It's used by default. You'll only need to register username & password, as Hallaoui mentionned.

warkolm · June 9, 2021, 8:52pm

Please start your own topic for this @TheSumitBanik

Topic		Replies	Views
Problem with Logstash SSL Logstash elastic-stack-security	19	8206	March 31, 2022
Logstash can't finde the certificate Logstash elastic-stack-security	16	8063	November 11, 2021
"PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed" Logstash	4	237	October 10, 2024
Logtash to elasticsearch connection error using certificate Logstash elastic-stack-monitoring , elastic-stack-security	24	9775	November 21, 2019
Logstash unable to connect to Elasticsearch over https Logstash	7	1781	January 17, 2022

Error unable to find valid certification path

Related Topics