Filebeat ssl connection error: certificate is valid for x, not x

Hi. I have a very odd issue with filebeat connection to logstash.

The deployment is as follows:

  • Logstash on hosted AWS infrastructure.
  • Filebeat on AWS Windows server 2012 on a different network and VPC.
  • Server-side SSL certification using self-signed .crt and .key
    ** The certificate has a SubjectAlternateName with the IP of the logstash server machine.
    ** The .crt has additionally been installed to windows certificate store as a trusted root certificate.
    ** The .crt can be opened in a text editor and starts: ----BEGIN. Therefore, I understand that it is in valid .PEM format.
  • Filebeat config looks like the following:
      - \PathToLogDirectory\*.log
    input_type: log
    document_type: log
    enabled: true

  hosts: host_ip_address:5044
  loadbalance: true
  ssl.enabled: true
  ssl.certificate_authorities: ["logstash.crt"]

logging.files.path: "path_to_logging_directory" "path_to_data_directory"

When I run the command:

curl -v --cacert logstash.crt https://host_ip_address:5044

The response is:

* Rebuilt URL to: https://host_ip_address:5044/
*   Trying host_ip_address...
* Connected to host_ip_address (host_ip_address) port 5044 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: logstash.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=logstash_certificate
*  start date: Mar  1 19:24:56 2018 GMT
*  expire date: Nov  8 19:24:56 2031 GMT
*  subjectAltName: host "host_ip_address" matched cert's IP address!
*  issuer: CN=logstash_certificate
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: host_ip_address:5044
> User-Agent: curl/7.55.1
> Accept: */*
* OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54
* Closing connection 0
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

However, when I run Filebeat from a Windows machine using the filebeat.yml config above, I see an error saying:

"certificate is valid for, not"

(ip address is an example address). The key is that both ip's in the error message are the same.

Any help to diagnose or resolve this issue would be much appreciated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.