Error with multiple values in ssl_certificate_authorities for elasticsearch output

pk92 · August 28, 2024, 3:40pm

Hi,

when I put a list with multiple elements in "ssl_certificate_authorities" for the Elasticsearch output of the Logstash pipeline, like this:

output {
    elasticsearch {
        hosts                        => ["https://host1:9200", "https://host2:9200", "https://host3:9200"]
        data_stream                  => "true"
        user                         => "logstash_internal"
        password                     => "pa$$w0rd"
        ssl_enabled                  => "true"
        ssl_verification_mode        => "full"
        ssl_certificate_authorities  => ["/path/to/ca.pem","/path/to/another-ca.pem"]
    }
}

I get the following error in the Logstash logs, stating that multiple values are not allowed

[2024-08-28T16:49:13,283][ERROR][logstash.javapipeline    ][lan] Pipeline error {:pipeline_id=>"lan", :exception=>#<LogStash::ConfigurationError: Multiple values on "ssl_certificate_authorities" are not supported by this plugin>, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.6-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:128:in `setup_ssl'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.6-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:59:in `build'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.6-java/lib/logstash/plugin_mixins/elasticsearch/common.rb:42:in `build_client'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-output-elasticsearch-11.22.6-java/lib/logstash/outputs/elasticsearch.rb:301:in `register'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:69:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:237:in `block in register_plugins'", "org/jruby/RubyArray.java:1989:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:236:in `register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:610:in `maybe_setup_out_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:249:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:194:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:146:in `block in start'"], "pipeline.sources"=>["central pipeline management"], :thread=>"#<Thread:0x6fa0463f /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}

Althpugh the documentation for the Elasticsearch output clearly states that the value for ssl_certificate_authorities can be a list.

ssl_certificate_authorities

Value type is a list of path

There is no default value for this setting

The .cer or .pem files to validate the server’s certificate.

I would expect that this should be working and it would just use every CA from the given list for validation of certificates. Do I make anything wrong?

Logstash version 8.13.4
logstash-output-elasticsearch version 11.22.6

Badger · August 28, 2024, 4:33pm

That looks like a bug to me. I poked around in the github history a bit and the output used to take a cacert option, which wanted a single certificate. During the standardization of SSL parameters across plugins that was changed to ssl_certificate_authorities, which takes a list of certificate files. However, the http_client mixin library that the output calls still expects a single cert.

pk92 · August 29, 2024, 7:23am

Thank you for confirming that it is a bug!

I'll have to open an issue in the Github repo then, I guess