Which version of filebeat are you using? In 5.0 the setting has been renamed from tls to ssl.
Setting up SSL/TLS can be quite a pain. I'd recommend to start by having a self-signed server certificate only and disable client authentication for the beginning.
I see you certificate contains the hostname houfan.com, but in filebeat you configured logstash by IP 192.168.147.128. In SSL/TLS the remote IP/hostname must match the one in the certificate. In case you can not use the hostname from filebeat machine, consider creating a certificate with IP or try setting both by configuring the subject alternative name (subjectAltName).
realy realy thank
my filebeat version is 1.3.1 logstash version is 2.4
I don't know how many times I have tried having a self-signed server certificate, I always get a error:
Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/server/key/server.key, :level=>:error}
this is my command in order: 1.get a CA
1.1 openssl genrsa -out ca.key 2048
1.2 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter"
1.3.1 mkdir demoCA
. . .2 cd demoCA/
.....3 mkdir newcerts
......4 touch index.txt
......5 echo 01 > serial 2. get server's certificates
2.0 cd ..
2.1 openssl genrsa -out server.key 2048
2.2 openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter/CN=192.168.147.128"
2.3 openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
2.4 openssl verify -CAfile ca.crt server.crt
the console output after this command is: server.crt: OK 3.get client's certificates
3.1 openssl genrsa -out client.key 2048
3.2 openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter/CN=192.168.147.129"
3.3 openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
3.4 openssl verify -CAfile ca.crt client.crt
after this command ,the console output: client.crt: OK 4. test
4.1 open a terminal 1 and then : openssl s_server -accept 10001 -key server.key -cert server.crt
4.2 open a terminal 2 and then:
openssl s_client -connect localhost:10001
I can get what I input in terminal 2 from terminal 1.and in another way I also can get what i input in terminal 1 from terminal 2.
so, I think these certificates are ok. and the I reconfigured the logstash.conf and filebeat.yml :
and finaly I still get this........
could you help me with this ..........please cos I have searched this error on the internet,but nothing I got.
somebody help ......
To make matters worse, there are different encoding formats for certificates and keys.
Seriously let's start with simple self-signed certificate for server only (no CA involved) and get this working. We will add a CA and client authentication later.
Also consider upgrading the logstash beats input plugin, as logstash seems to have some problems with certificate chains.
Use this to generate a self-signed certificate with private key file:
at first, I really appreciate your help.I exactly did as what you told,but the client(filebeat) give me a error:
ERR SSL client failed to connect with: x509: certificate has expired or is not yet valid
I think it's still the certificate generating problem.not yet valid.really thanks for your help.anyway,I give it up .....
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
