Http input with ssl

hey guys,
im very happy with my current ES-Stack and all works fine... except my http input with SSL on :frowning:

if i enable the SSL, there is no way to push stuff to my endpoint, this is my conf:

input {
  http {
    host => "XXX.XXX.XXX.XXX"
    port => XXXX
    codec => "json"
    ssl => true
    keystore => "/etc/logstash/conf.d/ssl/keystore.jks"
    keystore_password => "xxxxxx"
    additional_codecs => {
      "application/json" => "json"
    }
    response_headers => {
      "Access-Control-Allow-Origin" => "*"
      "Content-Type" => "text/plain"
      "Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, Accept"
    }
    type => "js_error"
  }
}

filter {
}

output {
  if[type] == "js_error" {
    elasticsearch {
      hosts => "http://localhost:9200"
      user => "xxxxxxxx"
      password => "xxxxxxxxxxxx"
      index => js_error
    }
  }
}

so nothing realy special magic... my certs are come from letsencryptand keystore is build with keytool (i hope i have add all needed certs and root certs ?). but a simple curl test failed:

curl -X POST https://MY-DOMAIN:XXXX -H 'Content-Type: application/json' -d '{"message":"hello world"}'

ends in this error:

curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

other seems nearly same problems, like:

so any suggestions or tips?

greez & thx, sky...

ok, it seems i missed the private-key into my keystore. but i cant insert my letsencrypt-cert :frowning:

letsencrypt returned me a private.key file (header calls: -----BEGIN PRIVATE KEY-----), if i try to import this file to a keystore like this:

keytool -import -keystore keystore.jks -trustcacerts -file private.key -alias private

its ends in this error:

keytool error: java.lang.Exception: Input not an X.509 certificate

so, how can i convert my letsencrypt private key file into an x509 cert?

ok, i have done it! this is my current script:

#!/bin/sh

DOMAIN=my-domain.tld
KEYSTOREPW=swssws
LOGSTASH_SSL_CONF=/etc/logstash/conf.d/ssl/$DOMAIN
LIVE=/etc/letsencrypt/live/$DOMAIN

sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW

sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW

sudo cp -f keystore.jks $LOGSTASH_SSL_CONF
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.