Hello. I am using filebeat version 1.2.1 (amd64).
I've setup logstash with input beats and ssl (ssl_verify_mode => force_peer) and self signed certificate containing additional Subject Alternative Name.
I am able to connect wi
I can connect fine from host using
from host connecting via #filebeat.yml part output: logstash: hosts: ["<DNS ALT NAME>:5000"] tls: insecure: false
but connections via #filebeat.yml part output: logstash: hosts: ["<CN field from cert>:5000"] tls: insecure: false
fail with: 2016/04/18 07:19:31.624512 transport.go:125: ERR SSL client failed to connect with: x509: certificate is valid for <DNS ALT NAME>, not <CN field from cert>
Is this a bug or it's just not implemented and I missed some FAQ/doc?
certificates are signed for domain names. When setting insecure: false (default), certificates will be validated + domain name is compared with certificate. Setting insecure: true should disable the domain name check (not recommended due to potential man-in-the-middle attacks).
I've implicitly turn on tls in config (certificate_authorities, certificate, certificate_keyca) and set "insecure: false" as I want only to preceed with connection when both server and client are validated via x509.
What I am saying is that filebeats (client) is denying to connect to server presenting valid certifitacte (it only validates against SubjectAltName skipping CN)
I checked connectivity with openssl s_client and cert IS valid for both for both STRINGS (one in CN other via SubjectAltName type DNS)
I think it is bug in filebeats.
I was able to overcome this by adding sime value as CN to additional SubjectAltName
So my cert has now
CN = X
SubjectAltName = X
SubjectAltName = Y
and only now I can connect via both X,Y
OMG. I bought/used quite a few "SSL" certs and was quite sure I know what I am speaking about but you just wrecked me
No more questions / thank you for fast answer and pointing me to more info.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.