How to handle https end point monitoring using certs

sukku77 · July 6, 2019, 6:08am

Hi,
I would like to invoke below https url for health check every 30s. I am using http_poller inut plugin. But getting below handshake issue

Host name 'xxxxxxx' does not match the certificate subject provided by the peer (O=Internet Widgits Pty Ltd, ST=California, C=US)

Firstly i have used below command to generate jks via cert files by providing ipaddress and port:

openssl s_client -showcerts -connect xxxxx:xxx </dev/null 2>/dev/null|openssl x509 -outform PEM > downloaded_cert.pem; keytool -import -alias test -file downloaded_cert.pem -keystore downloaded_truststore.jks

Below is the configurtion:

 urls => {
    host_uptime_service => {
      method => get
      url => "https://xxxxxx:xxx/api/abc/xyz/ha"
      verify_cert => true
      cacert => "/apps/logstash/downloaded_cert.pem"
      headers => {
        "Authorization" => "Basic xxxx"
        "Accept" => "application/vnd.yang.data+json"
      }
    }
}
truststore => "/apps/logstash/downloaded_truststore.jks"
truststore_password => "xxxx"

Any advise how to fix the issue. Let me know if i miss any required information

Thanks

Juanma · July 6, 2019, 3:03pm

Hi @sukku77

Is it possible that the cert is missing the subjectAltName?

The error is clearly telling you that the certificate used doesn't match the hostname.

If what you want is a health check have you considered to use heartbeat? it's more lightweight and designed for that pourpose

sukku77 · July 7, 2019, 1:45am

Hi @Juanma
Thanks for replying,
I need http_poller plugin because i need to parse the json and need to run ruby logic to extract the fields in json response. So i thought http_poller is better choice as per my knowledge. Please correct me if i am worng, or suggest if there is any other option

Coming to the certificate issue.
I forgot to mention in above post that, I am calling https end point url which have ip address, but i specify hostname of it under /etc/hosts where my http_poller is running.
But i couldn't understand about subjectAltName that you mentioned. If I am right, you are taking about the way to generate certificate is not exactly right
Please help me to correct with right syntax of generating certificate

openssl s_client -showcerts -connect 10.34.55.344:8888 </dev/null 2>/dev/null|openssl x509 -outform PEM > downloaded_cert.pem; keytool -import -alias test -file downloaded_cert.pem -keystore downloaded_truststore.jks

Thanks

Juanma · July 8, 2019, 9:25am

Hi @sukku77

Yes it's related with the way of generating the certs, as far as I can see you are not generating any certificate, you are downloading them from "10.34.55.344:8888" then generating a pem format and then importing it inside a JKS.

What you should to it's to check if the certificate generated to that host, have the subjectAltName attribute with the hostname to which you are pointing.

Try with the following command:

 openssl s_client -showcerts -connect 10.34.55.344:8888 </dev/null 2>/dev/null| openssl x509 -text -noout

Then check for something like:

The "DNS:" value must match your url hostname in order to work.
In case there is not DNS values or IPs values and you want to verify the certificate you must remake the certs with the correct parameters or you allways can skip certificate validation skipping it with "verify_cert => false"

In other hand, I didn't know you needed a parsing of the input, that's why I suggested you heatbeat

sukku77 · July 13, 2019, 6:19am

Hi @Juanma ,
I tried these ways as you suggested

Firstly I verfied any DNS or subaltnames in the server certificate which I downloaded directly earlier, but couldn't see any DNS names in server certificate or subaltnames
Then I tried by disabling validating certificates using verify_cert => false , but no luck
Finally I created self sign certificate and generated truststore jks file out of it, But this time it is different error which is related to path, But I provided right jks file path as in the below configuration. Please suggest if you have some thought on these lines

"http_request_failure"=>{"error"=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Below is my sample updated http_poller configuration file:

 urls => {
    uptime_service => {
      url => "https://hostname:port/api/abcd/test/ha"
      headers => {
        "Authorization" => "Basic xxxxxxxxxx"
        "Accept" => "application/vnd.yang.data+json"
      }
  }
}
truststore => "/apps/logstash/ssl_certs/downloaded_truststore.jks"
truststore_password => "xxxxxx"

}

Thanks
Sukumar C

system · August 10, 2019, 6:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Http_poller Host name '192.168.1.35' does not match the certificate subject provided by the peer Logstash	6	3755	April 20, 2018
Does http_poller handle https? Logstash	25	7551	July 6, 2017
Http_poller Logstash	6	180	May 13, 2024
Logstash http_poller ssl issue Logstash	1	369	January 9, 2020
Using http poller for https server Logstash	1	160	December 8, 2022

How to handle https end point monitoring using certs

Related topics