I have been trying to connect filebeat to a cluster that has http encryption done, when I try to connect, I get this error:
elasticsearch: https://xx.xx.xx.xx:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: xx.xx.xx.xx
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: cannot validate certificate for xx.xx.xx.xx because it doesn't contain any IP SANs
Now, I did a little research and it turned out it might be because by SAN is not set in the certificate, but my certificate has SAN, here is the output:
X509v3 extensions:
X509v3 Subject Alternative Name:
IP Address:xx.xx.xx.xx
Does curl -v --cacert path/to/ca.crt https://xx.xx.xx.xx:9200 work?
Can you use the DNS name associated with the certificate in your filebeat config (output.elasticsearch.hosts: ['https://my.host.com:9200']) instead of the IP?
I would capture the server's certificate chain on the client side and inspect the SANs.
openssl s_client -connect host:9200 -showcerts
Then copy the server cert (it's the first one logged at the top - 0) and run it through openssl. For example:
I tried to capture using openssl s_client -connect host:9200 -showcerts, and the certificate it gave has the subject name as: "Elastic Certificate Tool Autogenerated CA", now if I use that certificate to connect, I get an error:
curl: (51) SSL: certificate subject name (Elastic Certificate Tool Autogenerated CA) does not match target host name 'host'
Not sure, how to change the subject name to make it connect.
Sorry for the newbie level questions, I am new to ssl.
So if you have curl working it should just be matter of setting the equivalent settings on your filebeat.yml. I don't know exactly what arguments you used with curl so I'm guessing that you set a CA cert and a basic auth user/pass.
Then the config options I gave should be correct for Filebeat. Can you please post your latest configuration and the output from filebeat test output -e -d "*".
./filebeat test output -e -d "*"
2018-04-12T02:35:19.850-0400 INFO instance/beat.go:479 Home path: [/root/go/src/github.com/elastic/beats/filebeat] Config path: [/root/go/src/github.com/elastic/beats/filebeat] Data path: [/root/go/src/github.com/elastic/beats/filebeat/data] Logs path: [/root/go/src/github.com/elastic/beats/filebeat/logs]
2018-04-12T02:35:19.850-0400 DEBUG [beat] instance/beat.go:506 Beat metadata path: /root/go/src/github.com/elastic/beats/filebeat/data/meta.json
2018-04-12T02:35:19.850-0400 INFO instance/beat.go:486 Beat UUID: e290a366-a0bc-4ba4-8a9a-2039f433aa69
2018-04-12T02:35:19.851-0400 INFO elasticsearch/client.go:145 Elasticsearch url: https://xx.xx.xx.xx:9200
elasticsearch: https://xx.xx.xx.xx:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: xx.xx.xx.xx
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: cannot validate certificate for xx.xx.xx.xx because it doesn't contain any IP SANs
Here is my filebeat config:
#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["xx.xx.xx.xx:9200"]
# Optional protocol and basic auth credentials.
protocol: "https"
username: "elastic"
password: "kcYR1Fr5Cll0mhO"
ssl.certificate_authorities: "/path / to /ca/crt"
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.