Filebeat encryption error

I'm trying to get filebeat to send encrypted data to logstash.

In filebeat.yml, this is my output.logstash:

output.logstash:
  hosts: ["91.242.11.220:5044"] # Not the real IP
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/elk/certs/ca.crt"] # Same as ca.crt in logstah config
  ssl.certificate: "/etc/elk/beatcert/beats.crt"
  ssl.key: "/etc/elk/beatcert/beats.key"
  ssl.key_passphrase: "password" #Not the real password
  ssl.verification_mode: full

Logstash's config:

input{  beats{
port => 5044
ssl => true
ssl_certificate_authorities => ["/usr/share/elasticsearch/ca/ca.crt"] # Same as ca.crt in filebeat.yml
ssl_certificate => "/usr/share/elasticsearch/elk/elk.crt"
ssl_key => "/usr/share/elasticsearch/elk/elkpkcs8.key"
ssl_key_passphrase => "password" # Not the real password
ssl_verify_mode => "force_peer"
}}

When I start filebeat, I get this error:

 2020-07-30T12:54:10.082Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:155  Failed to connect to backoff(async(tcp://91.242.11.220:5044)): x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Elastic Certificate Tool Autogenerated CA")

Does anyone happen to know what's wrong? Huge thanks ahead.

1 Like

Try to enable debug mode and see if it tells you more. Does the certificate match the domain you're referring to?

Thanks for the response, the domain is just an IP address.

I'm not quite sure if this can be root cause of your problems. Did you try with domain name?

Sovled. Just redid everything. One of the .crts wasnt made with the original CA.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.