Filebeat ca cert problem

AlRad · December 15, 2015, 3:16pm

I'm attempting to basically get encrypted comms going between Filebeat hosts and the Logstash server (encryption only, no client authentication). Filebeat, however, is not accepting the CA certificate. Here is my filebeat.yml config:

filebeat:
  prospectors:
    -
      paths:
        - /var/log/messages
      input_type: log
  registry_file: /var/lib/filebeat/registry
logging:
  to_files: true
  level: debug
  files:
    path: "/var/log"
    name: filebeat_log
output:
  logstash:
    enabled: true
    hosts:
      - "logstashnode:5044"
    tls:
      disabled: false
      certificate_authorities:
        - "/etc/filebeat/cacert.crt"

Here's the debug output:

2015-12-14T17:01:36-05:00 DBG  Disable stderr logging
2015-12-14T17:01:36-05:00 DBG  Initializing output plugins
2015-12-14T17:01:36-05:00 INFO GeoIP disabled: No paths were set under output.geoip.paths
2015-12-14T17:01:36-05:00 ERR failed to initialize logstash plugin as output: file is not a certificate
2015-12-14T17:01:36-05:00 CRIT file is not a certificate

Running "openssl x509 -in /etc/filebeat/cacert.crt -text -noout" produces expected certificate output. I have also tried converting my PEM formatted CA cert to DER encoding but get the same result.

Any ideas?

andrewkroh · December 15, 2015, 7:33pm

Does your certificate file have BEGIN and END markers?

-----BEGIN CERTIFICATE-----
base64-encoded Bytes
-----END CERTIFICATE-----

https://golang.org/pkg/encoding/pem/

AlRad · December 15, 2015, 7:52pm

Yes. As far as I can tell, the CA certificate is valid and syntactically correct as it's used in other circumstances (such as encrypted rsyslog traffic, LDAP TLS, etc.). Also verified that it has not expired (good through 2023).

Are there perhaps specific X509v3 extensions that Filebeat is looking for (besides "CA: TRUE") that I may be missing?

andrewkroh · December 15, 2015, 8:38pm

The "file is not a certificate" message is generated here. https://github.com/elastic/beats/blob/e96810ae32ed41f429d0ed703c7fe858f86d351a/libbeat/outputs/tls.go#L86

It looks like this golang method is not decoding your cert. https://golang.org/src/crypto/x509/cert_pool.go?s=2159:2223#L75

You could try your certificate here. Just replace the cert text and click Run. https://play.golang.org/p/4UvK6TBeud

AlRad · December 15, 2015, 9:00pm

Bingo.........thanks a million! Apparently, my "RSA modulus is not a positive number" (more details here: http://blog.alex.org.uk/2015/10/13/rsa-modulus-is-not-a-positive-number-say-what/). Looks like I'll be regenerating a more RSA modulus-friendly CA cert.