Filebeat PKI certificate authentication not working to es

Dear all,

Im trying to setup ssl to connect filebeat to elastic

Elastic service is running in xxxxx.yy:9200

filebeat.yml
hosts: ["xxxxx.yy:9200"]
protocol: "https"
ssl.certificate_authorities: "/etc/filebeat/security/es-ca.crt"
ssl.certificate: "/etc/filebeat/security/es-crt.crt"
ssl.key: "/etc/filebeat/security/es.key"

I created the cert using the following commands
Obtain key
openssl pkcs12 -in /etc/elasticsearch/security/elastic-certificates.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > es.key
Obtain the CA:
openssl pkcs12 -in /etc/elasticsearch/security/elastic-certificates.p12 -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > es-ca.crt
Obtain the node certificate:
openssl pkcs12 -in /etc/elasticsearch/security/elastic-certificates.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > es-cert.crt

The cluster and kibana are up and running and connected via ssl

Im trying to use certs to authenticate no basic authentication to ES

When starting filebeat I have

{"log.level":"error","@timestamp":"2022-07-08T21:55:12.183-0300","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":235},"message":"error connecting to Elasticsearch at https://xxxxx.yy:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}","service.name":"filebeat","ecs.version":"1.6.0"}

Please help to understand what is missing.

Thanks!!!

  • What does your elasticsearc.yml look like?
  • What license are you running with?
  • Where did /etc/elasticsearch/security/elastic-certificates.p12 come from?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.