Filebeat not connecting to elasticsearch over ssl

pauldon2 · August 11, 2022, 3:05pm

I installed elasticsearch 8.3.3 on ubuntu 18.04 and allowed xpack.

curl --cacert /etc/elasticsearch/certs/http_ca.crt -u elastic https://localhost:9200

after entering the password gives the result

{
  "name" : "mgmt-els-01",
  "cluster_name" : "mgmt-els-01",
  "cluster_uuid" : "m5yvSutmRvqutn6DmCLlZQ",
  "version" : {
    "number" : "8.3.3",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "801fed82df74dbe537f89b71b098ccaff88d2c56",
    "build_date" : "2022-07-23T19:30:09.227964828Z",
    "build_snapshot" : false,
    "lucene_version" : "9.2.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

Generated fingerprint

openssl x509 -fingerprint -sha256 -in /etc/elasticsearch/certs/http_ca.crt

and pasted it into the filebeat config on another server.

But when I try to send logs to the elasticsearch server, I get an error -

[2022-08-11T13:40:43,636][WARN ][o.e.h.AbstractHttpServerTransport] [mgmt-els-01] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/172.61.10.49:9200, remoteAddress=/10.67.8.72:42476}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Filebeat config:

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  hosts: ["mgmt-els-01.node.consul"]
  protocol: https
  username: "filebeat"
  password: "somepasswd"

  ssl:
    enabled: true
    ca_trusted_fingerprint: "fingerprint"

filebeat version

filebeat version 8.3.3 (amd64), libbeat 8.3.3 [1755b5dd3127bf755ee39deb25a802438bdac620 built 2022-07-23 00:34:44 +0000 UTC]

What am I doing wrong?

stephenb · August 11, 2022, 5:08pm

Hi @pauldon2 When you setup elasticsearch you should have been provided the fingerprint... do you have that? Did you try that?

Example

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
✅ Elasticsearch security features have been automatically configured!
✅ Authentication is enabled and cluster connections are encrypted.

ℹ️  Password for the elastic user (reset with `bin/elasticsearch-reset-password -u elastic`):
	askdjfhasldkfjhasdflkjashdf

ℹ️  HTTP CA certificate SHA-256 fingerprint:
  2d15f23e450524d8619872025345beeebcabba656a29c068c9187478371274f0

When I ran the command you provided it the finger print is produced is

2D:15:F2:3E:45:05:24:D8:61:98:72:02:53:45:BE:EE:BC:AB:BA:65:6A:29:C0:68:C9:18:74:78:37:12:74:F0

Which is the same but with the : perhaps you need to remove those.

perhaps

openssl x509 -fingerprint -sha256 -in ./http_ca.crt | sed -e 's/://g'
my result

SHA256 Fingerprint=2D15F23E450524D8619872025345BEEEBCABBA656A29C068C9187478371274F0
```

pauldon2 · August 12, 2022, 6:31am

I installed elasicsearch on Ubuntu 18.04 using the package manager and didn't get a fingerprint.
But after that (as I wrote) I got it using the command

openssl x509 -fingerprint -sha256 -in /etc/elasticsearch/certs/http_ca.crt

I just tried removing the ":" and saved the resulting fingerprint to the filebeat config.
But I still get the same error.

[2022-08-12T06:21:52,524][WARN ][o.e.h.AbstractHttpServerTransport] [mgmt-els-01] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/172.61.10.49:9200, remoteAddress=/10.67.8.72:34676}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

stephenb · August 12, 2022, 1:52pm

@pauldon2
I think the fingerprint is fine and just FYI the data I showed above does come up when installing a .deb / .rpm it may have just scrolled by but I think you are good.

We all love cert issues right?

I don't think this is a fingerprint issues... you could validate that by trying to run filebeat on the elasticsearch host and use localhost as the elasticsearch address.

How did you configure / create the cert? ... in short I suspect that the "name" you are trying to access elasticsearch by mgmt-els-01.node.consul is not part of the Common Name / Domain in the cert... the default will only have the hostname, and IP address.... unless you specifically set that up.

Can you try the IP address instead of the FQDN or perhaps just mgmt-els-01

pauldon2 · August 12, 2022, 2:29pm

Blockquote
How did you configure / create the cert? ... in short I suspect that the "name" you are trying to access elasticsearch by mgmt-els-01.node.consul is not part of the Common Name / Domain in the cert... the default will only have the hostname, and IP address.... unless you specifically set that up.
Can you try the IP address instead of the FQDN or perhaps just mgmt-els-01

Yes! I changed FQDN to IP and everything worked. Thanks a lot!

P.S. Where can I read how to add FQDN to a previously generated certificate?

stephenb · August 12, 2022, 4:03pm

So I am good with certificates but I am not the expert ninja.

But what I will say is you're not going to be able to add it to the existing one for a several reasons, but the most important is it has a password applied to it that has been added to the key store which you'll never be able to see again. So you're going to need to create a new cert for the HTTPS endpoint. That's my understanding.

You will want to use cert mode with this command

Also, I wrote a how to for the 7.x version. I think it's still applies. You can take a look at that

https://github.com/bvader/howtos/blob/master/basic-security-elasticsearch/README.md

pauldon2 · August 12, 2022, 7:22pm

Wonderful. Especially the second document. Tomorrow I will try to follow it step by step. Thanks again.

system · September 9, 2022, 9:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.