Filebeat ca cert problem

AlRad · December 15, 2015, 3:16pm

I'm attempting to basically get encrypted comms going between Filebeat hosts and the Logstash server (encryption only, no client authentication). Filebeat, however, is not accepting the CA certificate. Here is my filebeat.yml config:

filebeat:
  prospectors:
    -
      paths:
        - /var/log/messages
      input_type: log
  registry_file: /var/lib/filebeat/registry
logging:
  to_files: true
  level: debug
  files:
    path: "/var/log"
    name: filebeat_log
output:
  logstash:
    enabled: true
    hosts:
      - "logstashnode:5044"
    tls:
      disabled: false
      certificate_authorities:
        - "/etc/filebeat/cacert.crt"

Here's the debug output:

2015-12-14T17:01:36-05:00 DBG  Disable stderr logging
2015-12-14T17:01:36-05:00 DBG  Initializing output plugins
2015-12-14T17:01:36-05:00 INFO GeoIP disabled: No paths were set under output.geoip.paths
2015-12-14T17:01:36-05:00 ERR failed to initialize logstash plugin as output: file is not a certificate
2015-12-14T17:01:36-05:00 CRIT file is not a certificate

Running "openssl x509 -in /etc/filebeat/cacert.crt -text -noout" produces expected certificate output. I have also tried converting my PEM formatted CA cert to DER encoding but get the same result.

Any ideas?

andrewkroh · December 15, 2015, 7:33pm

Does your certificate file have BEGIN and END markers?

-----BEGIN CERTIFICATE-----
base64-encoded Bytes
-----END CERTIFICATE-----

https://golang.org/pkg/encoding/pem/

AlRad · December 15, 2015, 7:52pm

Yes. As far as I can tell, the CA certificate is valid and syntactically correct as it's used in other circumstances (such as encrypted rsyslog traffic, LDAP TLS, etc.). Also verified that it has not expired (good through 2023).

Are there perhaps specific X509v3 extensions that Filebeat is looking for (besides "CA: TRUE") that I may be missing?

andrewkroh · December 15, 2015, 8:38pm

The "file is not a certificate" message is generated here. https://github.com/elastic/beats/blob/e96810ae32ed41f429d0ed703c7fe858f86d351a/libbeat/outputs/tls.go#L86

It looks like this golang method is not decoding your cert. https://golang.org/src/crypto/x509/cert_pool.go?s=2159:2223#L75

You could try your certificate here. Just replace the cert text and click Run. https://play.golang.org/p/4UvK6TBeud

AlRad · December 15, 2015, 9:00pm

Bingo.........thanks a million! Apparently, my "RSA modulus is not a positive number" (more details here: http://blog.alex.org.uk/2015/10/13/rsa-modulus-is-not-a-positive-number-say-what/). Looks like I'll be regenerating a more RSA modulus-friendly CA cert.

Topic		Replies	Views
Filebeat encryption error Beats filebeat	5	2095	August 27, 2020
Filebeat & Logstash with intermediate CA (cert chain) Issues Beats filebeat	5	3500	November 29, 2017
Certificate Error in File Beat connecting to Logstash Beats filebeat	4	4810	July 5, 2017
Filebeat ssl connection error: certificate is valid for x, not x Beats filebeat	1	991	March 30, 2018
Getting a Filebeat server certificate verification fail Beats	3	931	April 27, 2017

Filebeat ca cert problem

Related topics