How to set the tls part in the filebeat.yml....alway wrong


#1

here is my console output:

and this setting in /etc/hosts did't work...........

here is my filebeat.yml (on|in) 192.168.147.129:

here is my logstash.conf (on|in) 192.168.147.128:

here is the command I get the certificate files:


and (on|in) 192.168.147.129 ,I modified CN=houfan129.com.
(on|in) 192.168.147.128 ,CN=houfan129.com

I can sure the problem is the tls parts and the certificate files.but I have tried many ways to produce the CA,crt,key....still error

anbody could give me the right way to make CA,crt,key ...god help me
(my english is not good ,i hope you can understand what i mean)
:sob:


(Steffen Siering) #2

Which version of filebeat are you using? In 5.0 the setting has been renamed from tls to ssl.

Setting up SSL/TLS can be quite a pain. I'd recommend to start by having a self-signed server certificate only and disable client authentication for the beginning.

I see you certificate contains the hostname houfan.com, but in filebeat you configured logstash by IP 192.168.147.128. In SSL/TLS the remote IP/hostname must match the one in the certificate. In case you can not use the hostname from filebeat machine, consider creating a certificate with IP or try setting both by configuring the subject alternative name (subjectAltName).


#3

realy realy thank
my filebeat version is 1.3.1 logstash version is 2.4
I don't know how many times I have tried having a self-signed server certificate, I always get a error:
Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/server/key/server.key, :level=>:error}

this is my command in order:
1.get a CA
1.1 openssl genrsa -out ca.key 2048
1.2 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter"
1.3.1 mkdir demoCA
. . .2 cd demoCA/
.....3 mkdir newcerts
......4 touch index.txt
......5 echo 01 > serial
2. get server's certificates
2.0 cd ..
2.1 openssl genrsa -out server.key 2048
2.2 openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter/CN=192.168.147.128"
2.3 openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
2.4 openssl verify -CAfile ca.crt server.crt
the console output after this command is: server.crt: OK
3.get client's certificates
3.1 openssl genrsa -out client.key 2048
3.2 openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter/CN=192.168.147.129"
3.3 openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
3.4 openssl verify -CAfile ca.crt client.crt
after this command ,the console output: client.crt: OK
4. test
4.1 open a terminal 1 and then :
$ openssl s_server -accept 10001 -key server.key -cert server.crt
4.2 open a terminal 2 and then:
$ openssl s_client -connect localhost:10001
I can get what I input in terminal 2 from terminal 1.and in another way I also can get what i input in terminal 1 from terminal 2.

so, I think these certificates are ok. and the I reconfigured the logstash.conf and filebeat.yml :

and finaly I still get this........

could you help me with this ..........please :sob::sob::sob: cos I have searched this error on the internet,but nothing I got.
somebody help ......


Cannot configure secure connection Firebeat->Logstash
(Steffen Siering) #4

To make matters worse, there are different encoding formats for certificates and keys.

Seriously let's start with simple self-signed certificate for server only (no CA involved) and get this working. We will add a CA and client authentication later.

Also consider upgrading the logstash beats input plugin, as logstash seems to have some problems with certificate chains.

Use this to generate a self-signed certificate with private key file:

openssl req -subj '/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter/CN=192.168.147.128/' -x509 -days 36500 -batch -nodes -newkey rsa:2048 -keyout server.key -out server.crt

in logstash configure:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/path/to/server.crt"
    ssl_key => "/path/to/server.key"
  }
}

and configure output in filebeat:

output:
  logstash:
    tls:
      certificate_authorities: ["/path/to/server.crt"]

Does this work for you?

Can you upgrade filebeat and/or logstash to most recent release?


#5

at first, I really appreciate your help.I exactly did as what you told,but the client(filebeat) give me a error:
ERR SSL client failed to connect with: x509: certificate has expired or is not yet valid

I think it's still the certificate generating problem.not yet valid.really thanks for your help.anyway,I give it up .....

appreciate your help and kindness again.


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.