Filebeat encryption error

elk6 · July 30, 2020, 1:29pm

I'm trying to get filebeat to send encrypted data to logstash.

In filebeat.yml, this is my output.logstash:

output.logstash:
  hosts: ["91.242.11.220:5044"] # Not the real IP
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/elk/certs/ca.crt"] # Same as ca.crt in logstah config
  ssl.certificate: "/etc/elk/beatcert/beats.crt"
  ssl.key: "/etc/elk/beatcert/beats.key"
  ssl.key_passphrase: "password" #Not the real password
  ssl.verification_mode: full

Logstash's config:

input{  beats{
port => 5044
ssl => true
ssl_certificate_authorities => ["/usr/share/elasticsearch/ca/ca.crt"] # Same as ca.crt in filebeat.yml
ssl_certificate => "/usr/share/elasticsearch/elk/elk.crt"
ssl_key => "/usr/share/elasticsearch/elk/elkpkcs8.key"
ssl_key_passphrase => "password" # Not the real password
ssl_verify_mode => "force_peer"
}}

When I start filebeat, I get this error:

 2020-07-30T12:54:10.082Z        ERROR   [publisher_pipeline_output]     pipeline/output.go:155  Failed to connect to backoff(async(tcp://91.242.11.220:5044)): x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Elastic Certificate Tool Autogenerated CA")

Does anyone happen to know what's wrong? Huge thanks ahead.

mtojek · July 30, 2020, 1:36pm

Try to enable debug mode and see if it tells you more. Does the certificate match the domain you're referring to?

elk6 · July 30, 2020, 1:39pm

Thanks for the response, the domain is just an IP address.

mtojek · July 30, 2020, 1:51pm

I'm not quite sure if this can be root cause of your problems. Did you try with domain name?

elk6 · July 30, 2020, 4:32pm

Sovled. Just redid everything. One of the .crts wasnt made with the original CA.

system · August 27, 2020, 6:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.