Guide for Generating valid Certs for Logstash / Filebeat SSL Setup

ninjada · April 20, 2017, 1:10am

hi guys,

this stumps me every time i setup an ELK stack for some reason.. I had it sussed out last time i was deploying multiple ELK stacks on version 2.x

have just finished testing 5.x and am readying to get everything production ready eg. SSL and security configuration but am hitting the same problem.

im receiving the error: cannot validate certificate for 10.10.1.169 because it doesn't contain any IP SANs..

is there a definitive guide to generating SSL? cause ive tried 2 now and i receive errors.

ideally i'd like one to cover just a host name, eg. elk.myinstance.aws -- as the server may change public & private IP...

magnusbaeck · April 24, 2017, 5:19am

How are you creating the certificate? What do the Filebeat and Logstash configurations look like?

ninjada · May 1, 2017, 3:01am

to be honest I've lost count now, i've tried a bunch..

heres what i last used.. generating the certs using:

for logstash server:
sudo openssl req -subj '/CN=elk.mydomain/‘ -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/logstash/private/logstash.key -out /etc/pki/logstash/certs/logstash.crt
for filebeat servers:
sudo openssl req -subj '/CN=elk.mydomain/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout /etc/pki/logstash/private/filebeat.key -out /etc/pki/logstash/certs/filebeat.crt

where elk.mydomain is the internal dns route i setup on EC@ and what i point all servers running filebeat to goto.

preferrably i'd like it to just work based on that DNS entry, but i either get IP SAN errors or invalid key format errors...

is there a definitive guide for this?

magnusbaeck · May 3, 2017, 5:13am

Please answer both of my questions.

system · May 31, 2017, 5:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.