Hi. I have a very odd issue with filebeat connection to logstash.
The deployment is as follows:
- Logstash on hosted AWS infrastructure.
- Filebeat on AWS Windows server 2012 on a different network and VPC.
- Server-side SSL certification using self-signed .crt and .key
** The certificate has a SubjectAlternateName with the IP of the logstash server machine.
** The .crt has additionally been installed to windows certificate store as a trusted root certificate.
** The .crt can be opened in a text editor and starts: ----BEGIN. Therefore, I understand that it is in valid .PEM format.
- Filebeat config looks like the following:
filebeat: prospectors: - paths: - \PathToLogDirectory\*.log input_type: log document_type: log enabled: true output.logstash: hosts: host_ip_address:5044 loadbalance: true ssl.enabled: true ssl.certificate_authorities: ["logstash.crt"] logging.files.path: "path_to_logging_directory" path.data: "path_to_data_directory"
When I run the command:
curl -v --cacert logstash.crt https://host_ip_address:5044
The response is:
* Rebuilt URL to: https://host_ip_address:5044/ * Trying host_ip_address... * TCP_NODELAY set * Connected to host_ip_address (host_ip_address) port 5044 (#0) * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: logstash.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=logstash_certificate * start date: Mar 1 19:24:56 2018 GMT * expire date: Nov 8 19:24:56 2031 GMT * subjectAltName: host "host_ip_address" matched cert's IP address! * issuer: CN=logstash_certificate * SSL certificate verify ok. > GET / HTTP/1.1 > Host: host_ip_address:5044 > User-Agent: curl/7.55.1 > Accept: */* > * OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54 * Closing connection 0 curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54
However, when I run Filebeat from a Windows machine using the filebeat.yml config above, I see an error saying:
"certificate is valid for 18.104.22.168, not 22.214.171.124"
(ip address 126.96.36.199 is an example address). The key is that both ip's in the error message are the same.
Any help to diagnose or resolve this issue would be much appreciated.