hey guys,
im very happy with my current ES-Stack and all works fine... except my http input with SSL on
if i enable the SSL, there is no way to push stuff to my endpoint, this is my conf:
input {
http {
host => "XXX.XXX.XXX.XXX"
port => XXXX
codec => "json"
ssl => true
keystore => "/etc/logstash/conf.d/ssl/keystore.jks"
keystore_password => "xxxxxx"
additional_codecs => {
"application/json" => "json"
}
response_headers => {
"Access-Control-Allow-Origin" => "*"
"Content-Type" => "text/plain"
"Access-Control-Allow-Headers" => "Origin, X-Requested-With, Content-Type, Accept"
}
type => "js_error"
}
}
filter {
}
output {
if[type] == "js_error" {
elasticsearch {
hosts => "http://localhost:9200"
user => "xxxxxxxx"
password => "xxxxxxxxxxxx"
index => js_error
}
}
}
so nothing realy special magic... my certs are come from letsencrypt
and keystore is build with keytool
(i hope i have add all needed certs and root certs ?). but a simple curl
test failed:
curl -X POST https://MY-DOMAIN:XXXX -H 'Content-Type: application/json' -d '{"message":"hello world"}'
ends in this error:
curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.
other seems nearly same problems, like:
so any suggestions or tips?
greez & thx, sky...
ok, it seems i missed the private-key into my keystore. but i cant insert my letsencrypt-cert
letsencrypt returned me a private.key
file (header calls: -----BEGIN PRIVATE KEY-----
), if i try to import this file to a keystore like this:
keytool -import -keystore keystore.jks -trustcacerts -file private.key -alias private
its ends in this error:
keytool error: java.lang.Exception: Input not an X.509 certificate
so, how can i convert my letsencrypt private key file into an x509 cert?
ok, i have done it! this is my current script:
#!/bin/sh
DOMAIN=my-domain.tld
KEYSTOREPW=swssws
LOGSTASH_SSL_CONF=/etc/logstash/conf.d/ssl/$DOMAIN
LIVE=/etc/letsencrypt/live/$DOMAIN
sudo openssl pkcs12 -export -in $LIVE/cert.pem -inkey $LIVE/privkey.pem -out cert_and_key.p12 -name myalias -CAfile $LIVE/chain.pem -caname root -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -alias myalias -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -import -noprompt -trustcacerts -alias root -file $LIVE/chain.pem -keystore keystore.jks -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name glassfish-instance -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias glassfish-instance -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo openssl pkcs12 -export -in $LIVE/fullchain.pem -inkey $LIVE/privkey.pem -out pkcs.p12 -name s1as -password pass:$KEYSTOREPW
sudo keytool -importkeystore -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -alias s1as -srcstorepass $KEYSTOREPW -deststorepass $KEYSTOREPW -destkeypass $KEYSTOREPW
sudo keytool -list -keystore keystore.jks -storepass $KEYSTOREPW
sudo cp -f keystore.jks $LOGSTASH_SSL_CONF
1 Like
system
(system)
Closed
February 14, 2018, 1:53pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.