Hi everyone,
I'm trying to configure SSL encryption in between filebeat and redis. I self signed the certificate.
Logfile:
filebeat.yml
filebeat.prospectors:
- type: log
enabled: true
paths:
- /var/log/*log
- /var/log/messages
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
setup.template.settings:
index.number_of_shards: 3
output.redis:
hosts: ["10.56.80.18:443"]
key: "logstash"
db: 0
timeout: 5
ssl.enabled: true
ssl.certificate_authorities: ["/etc/filebeat/certs/signing-ca-chain.pem"]
ssl.certificate: "/etc/filebeat/certs/logstash.crt"
ssl.key: "/etc/filebeat/certs/logstash.key"
logging.level: warning
logging.selectors: ["*"]
queue.mem:
events: 4096
flush.min_events: 512
flush.timeout: 5s
Command to create key / cert:
openssl req -new \
-config etc/client.conf \
-out certs/filebeat.csr \
-keyout certs/filebeat.key
openssl ca \
-config etc/signing-ca.conf \
-in certs/filebeat.csr \
-out certs/filebeat.crt \
-extensions client_ext
Client.conf:
# This file is used by the openssl req command. Since we cannot know the DN in
# advance the user is prompted for DN information.
[ req ]
default_bits = 4096 # RSA key size
encrypt_key = yes # Protect private key
default_md = sha256 # MD to use
utf8 = yes # Input is UTF-8
string_mask = utf8only # Emit UTF-8 strings
prompt = yes # Prompt for DN
distinguished_name = client_dn # DN template
req_extensions = client_reqext # Desired extensions
[ client_dn ]
0.domainComponent = "1. Domain Component (eg, com) "
0.domainComponent_default = int
1.domainComponent = "2. Domain Component (eg, company) "
1.domainComponent_default = elk
organizationName = "4. Organization Name (eg, company) "
organizationName_default = CGI
commonName = "6. Common Name (eg, full name)"
commonName_max = 64
[ client_reqext ]
keyUsage = critical,digitalSignature,keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
Thank you in advance.
Best regards,
1 Like
adrisr
February 13, 2018, 3:57pm
2
When I repeat your commands:
openssl req -new \
-config etc/client.conf \
-out certs/filebeat.csr \
-keyout certs/filebeat.key
it forces me to set a passphrase for the key. If this was your case too, then you need to add the passphrase into the configuration:
output.redis:
[...]
ssl.certificate: "/etc/filebeat/certs/logstash.crt"
ssl.key: "/etc/filebeat/certs/logstash.key"
ssl.key_passphrase: "my passphrase"
1 Like
Hi Adrian,
thank you for your support. Unfortunately it's still not working and the same error occurs.
My set up is the following:
VM1 (eStack)
<|Stunnel|>
VM2 (eClient)
VM1 is also my CA.
May be this helps for further troubleshooting.
Best regards,
Appendix:
eClient:/etc/filebeat/certs # openssl s_client -connect eClient:443 -CAfile signing-ca-chain.pem -cert client1.crt -key client1.key -showcerts -debug
CONNECTED(00000003)
write to 0x18f02e0 [0x18f0360] (293 bytes => 293 (0x125))
[...]
read from 0x18f02e0 [0x18f58c0] (7 bytes => 7 (0x7))
[...]
read from 0x18f02e0 [0x18f58ca] (92 bytes => 92 (0x5C))
[...]
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
0000 - 16 03 03 11 1b .....
read from 0x18f02e0 [0x18f58c8] (4379 bytes => 3992 (0xF98))
[...]
read from 0x18f02e0 [0x18f6860] (387 bytes => 387 (0x183))
[...] j[.
depth=2 DC = com, DC = de, O = CGI, OU = RePub, CN = eStack Root CA
verify return:1
depth=1 DC = com, DC = de, O = CGI, OU = RePub, CN = eStack Signing CA
verify return:1
depth=0 DC = com, DC = de, O = CGI, CN = eStack
verify return:1
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
[...]
read from 0x18f02e0 [0x18f58c8] (589 bytes => 589 (0x24D))
[...]
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
[...]
write to 0x18f02e0 [0x18ff560] (12 bytes => 12 (0xC))
[...]
write to 0x18f02e0 [0x18ff560] (75 bytes => 75 (0x4B))
[...]
write to 0x18f02e0 [0x18ff560] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
write to 0x18f02e0 [0x18ff560] (45 bytes => 45 (0x2D))
[...]
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02 .....
read from 0x18f02e0 [0x18f58c8] (2 bytes => 2 (0x2))
0000 - 02 28 .(
140080001230480:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
140080001230480:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/DC=com/DC=de/O=CGI/CN=eStack
i:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
1 s:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
i:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
2 s:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
i:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/DC=com/DC=de/O=CGI/CN=eStack
issuer=/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
---
Acceptable client certificate CA names
/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5338 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 9452A41BA37702F4CF049E9F9BE309BBD8116FBD54D01D695DE58676F44F9869
Session-ID-ctx:
Master-Key: 4B5E5891948F82244B0411F11365BDCB590A03B0E6AE0DB7CBAF65064F06117BAD54630146008109A3F12152500D8E06
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1518601431
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
eClient:/etc/filebeat/certs # openssl s_client -state -nbio -connect eClient:443 2>&1 | grep "^SSL"
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:error in SSLv3 read server certificate A
SSL_connect:error in SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
SSL handshake has read 5338 bytes and written 138 bytes
SSL-Session:
adrisr
February 14, 2018, 3:42pm
4
What is your openssl version? Check with openssl version in the command-line
adrisr:
openssl version
OpenSSL 1.0.2j-fips 26 Sep 2016
adrisr
February 14, 2018, 5:09pm
6
There seems to be a problem dealing with encrypted private keys generated by openssl 1.x. The ones generated by openssl 0.9x work.
You can tell the difference in the first few lines of the file.
Works:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5C4A07D0414173B0
Doesn't work:
-----BEGIN ENCRYPTED PRIVATE KEY-----
For now the only workaround is to convert your private key to the old format:
openssl pkcs8 -in private.key -traditional -out plain.pem
openssl rsa -aes256 -in plain.pem -out encrypted.key
Remember to remove plain.pem as it is not encrypted.
4 Likes
system
March 14, 2018, 5:09pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.