Filebeat private key parse error

Hi everyone,

I'm trying to configure SSL encryption in between filebeat and redis. I self signed the certificate.

Logfile:
filebeat -c filebeat.yml -e -v
2018/02/13 12:22:37.675420 beat.go:436: INFO Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2018/02/13 12:22:37.675615 beat.go:443: INFO Beat UUID: e09a10d6-63d7-467b-9866-91a0bdf3331a
2018/02/13 12:22:37.675630 beat.go:203: INFO Setup Beat: filebeat; Version: 6.1.2
2018/02/13 12:22:37.675886 tls.go:190: CRIT Failed loading client certificate%!(EXTRA *errors.errorString=tls: failed to parse private key)
2018/02/13 12:22:37.676161 beat.go:635: CRIT Exiting: error initializing publisher: 1 error: tls: failed to parse private key
Exiting: error initializing publisher: 1 error: tls: failed to parse private key

filebeat.yml

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/*log
    - /var/log/messages
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.redis:
  hosts: ["10.56.80.18:443"]
  key: "logstash"
  db: 0
  timeout: 5
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/filebeat/certs/signing-ca-chain.pem"]
  ssl.certificate: "/etc/filebeat/certs/logstash.crt"
  ssl.key: "/etc/filebeat/certs/logstash.key"
logging.level: warning
logging.selectors: ["*"]
queue.mem:
  events: 4096
  flush.min_events: 512
  flush.timeout: 5s

Command to create key / cert:

 openssl req -new \
            -config etc/client.conf \
            -out certs/filebeat.csr \
            -keyout certs/filebeat.key
    	    	
 openssl ca \
        -config etc/signing-ca.conf \
        -in certs/filebeat.csr \
        -out certs/filebeat.crt \
        -extensions client_ext

Client.conf:
# Client certificate request

# This file is used by the openssl req command. Since we cannot know the DN in
# advance the user is prompted for DN information.

[ req ]
default_bits            = 4096                  # RSA key size
encrypt_key             = yes                   # Protect private key
default_md              = sha256                # MD to use
utf8                    = yes                   # Input is UTF-8
string_mask             = utf8only              # Emit UTF-8 strings
prompt                  = yes                   # Prompt for DN
distinguished_name      = client_dn              # DN template
req_extensions          = client_reqext          # Desired extensions

[ client_dn ]
0.domainComponent       = "1. Domain Component         (eg, com)      "
0.domainComponent_default = int
1.domainComponent       = "2. Domain Component         (eg, company)  "
1.domainComponent_default = elk
organizationName        = "4. Organization Name        (eg, company)  "
organizationName_default = CGI
commonName              = "6. Common Name              (eg, full name)"
commonName_max          = 64

[ client_reqext ]
keyUsage                = critical,digitalSignature,keyEncipherment
extendedKeyUsage        = clientAuth
subjectKeyIdentifier    = hash

Thank you in advance.

Best regards,
Simon

1 Like

When I repeat your commands:

openssl req -new \
            -config etc/client.conf \
            -out certs/filebeat.csr \
            -keyout certs/filebeat.key

it forces me to set a passphrase for the key. If this was your case too, then you need to add the passphrase into the configuration:

output.redis:
  [...]
  ssl.certificate: "/etc/filebeat/certs/logstash.crt"
  ssl.key: "/etc/filebeat/certs/logstash.key"
  ssl.key_passphrase: "my passphrase"
1 Like

Hi Adrian,

thank you for your support. Unfortunately it's still not working and the same error occurs.

My set up is the following:

VM1 (eStack)
Kibana-->Elasticsearch<--Logstash

<|Stunnel|>

VM2 (eClient)
Redis<--Filebeat

VM1 is also my CA.

May be this helps for further troubleshooting.

Best regards,
Simon

Appendix:

eClient:/etc/filebeat/certs # openssl s_client -connect eClient:443 -CAfile signing-ca-chain.pem -cert client1.crt -key client1.key -showcerts -debug
Enter pass phrase for client1.key:

CONNECTED(00000003)
write to 0x18f02e0 [0x18f0360] (293 bytes => 293 (0x125))
[...]
read from 0x18f02e0 [0x18f58c0] (7 bytes => 7 (0x7))
[...]
read from 0x18f02e0 [0x18f58ca] (92 bytes => 92 (0x5C))
[...]
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
0000 - 16 03 03 11 1b                                    .....
read from 0x18f02e0 [0x18f58c8] (4379 bytes => 3992 (0xF98))
[...]
read from 0x18f02e0 [0x18f6860] (387 bytes => 387 (0x183))
[...]                                j[.
depth=2 DC = com, DC = de, O = CGI, OU = RePub, CN = eStack Root CA
verify return:1
depth=1 DC = com, DC = de, O = CGI, OU = RePub, CN = eStack Signing CA
verify return:1
depth=0 DC = com, DC = de, O = CGI, CN = eStack
verify return:1
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
[...]
read from 0x18f02e0 [0x18f58c8] (589 bytes => 589 (0x24D))
[...]
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
[...]
write to 0x18f02e0 [0x18ff560] (12 bytes => 12 (0xC))
[...]
write to 0x18f02e0 [0x18ff560] (75 bytes => 75 (0x4B))
[...]
write to 0x18f02e0 [0x18ff560] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01                                 ......
write to 0x18f02e0 [0x18ff560] (45 bytes => 45 (0x2D))
[...]
read from 0x18f02e0 [0x18f58c3] (5 bytes => 5 (0x5))
0000 - 15 03 03 00 02                                    .....
read from 0x18f02e0 [0x18f58c8] (2 bytes => 2 (0x2))
0000 - 02 28                                             .(
140080001230480:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1487:SSL alert number 40
140080001230480:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/DC=com/DC=de/O=CGI/CN=eStack
   i:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
   i:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 2 s:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
   i:/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/DC=com/DC=de/O=CGI/CN=eStack
issuer=/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
---
Acceptable client certificate CA names
/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Signing CA
/DC=com/DC=de/O=CGI/OU=RePub/CN=eStack Root CA
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5338 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 9452A41BA37702F4CF049E9F9BE309BBD8116FBD54D01D695DE58676F44F9869
    Session-ID-ctx:
    Master-Key: 4B5E5891948F82244B0411F11365BDCB590A03B0E6AE0DB7CBAF65064F06117BAD54630146008109A3F12152500D8E06
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1518601431
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

eClient:/etc/filebeat/certs # openssl s_client -state -nbio -connect eClient:443 2>&1 | grep "^SSL"

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:error in SSLv3 read server certificate A
SSL_connect:error in SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:error in SSLv3 read finished A
SSL3 alert read:fatal:handshake failure
SSL_connect:failed in SSLv3 read finished A
SSL handshake has read 5338 bytes and written 138 bytes
SSL-Session:

What is your openssl version? Check with openssl version in the command-line

OpenSSL 1.0.2j-fips 26 Sep 2016

There seems to be a problem dealing with encrypted private keys generated by openssl 1.x. The ones generated by openssl 0.9x work.

You can tell the difference in the first few lines of the file.

Works:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5C4A07D0414173B0

Doesn't work:

-----BEGIN ENCRYPTED PRIVATE KEY-----

For now the only workaround is to convert your private key to the old format:

openssl pkcs8 -in private.key -traditional -out plain.pem
openssl rsa -aes256 -in plain.pem -out encrypted.key

Remember to remove plain.pem as it is not encrypted.

4 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.