Http_poller certificate error

HaranKumar · April 3, 2019, 3:02pm

Hello Team,

I have a URL to be used as input of logstash and output to be saved as a file. I am getting no data in my output file if i use CSV and getting htto_request failure message as data if i use json.

kindly help me with troubleshooting the cert issue. I get keytool error: java.lang.Exception: Input not an X.509 certificate error when i convert selfsigned CAcert into jks as per document. so i could not use truststore.

below is the error message inside the output json file.

"http_request_failure":{"runtime_seconds":0.015593000000000001,"name":"minemeld","request":{"cacert":"/opt/CA.cert","method":"get","url":"https://192.168.56.30/feeds/DARP-output-feedgreen?tr=1&v=json"},"error":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","backtrace":null},"@version":"1","@timestamp":"2019-04-03T14:36:30.591Z","tags":["_http_request_failure"]}

my conf file

input {
http_poller {
schedule => { "every" => "2s" }
urls => {
minemeld => {
method => GET
url => "https://192.168.56.30/feeds/DARP-output-feedgreen?tr=1&v=json"
cacert => "/opt/CA.cert"
}
}
}
}
output {
file {
path => "/tmp/darpintel.json"
}
}

Janko · April 3, 2019, 5:07pm

The error message shows that there is an issue with the certificate and the trust path cannot be established.

Which steps did you take to create the certificate and which document did you use here?

The cacert should be an X.509 certificate in the .pem format as per the documentation

HaranKumar · April 4, 2019, 12:54am

Hello @Janko - Thanks for the details. I tried cacert => /etc/nginx/minemeld.pem and also tried cacert => /etc/nginx/minemeld.cer but i get below error message in the output json file.

{"http_request_failure":{"runtime_seconds":0.014555,"name":"minemeld","request":{"cacert":"/etc/nginx/minemeld.cer","method":"get","url":"https://192.168.56.30/feeds/DARP-output-feedgreen?tr=1&v=json"},"error":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","backtrace":null},"@version":"1","@timestamp":"2019-04-04T00:44:23.440Z","tags":["_http_request_failure"]}

I could not use truststore because I get keytool error: java.lang.Exception: Input not an X.509 certificate error when trying below one liner as per Document

openssl s_client -showcerts -connect https://192.168.56.30/feeds/DARP-output-feedgreen </dev/null 2>/dev/null|openssl x509 -outform PEM > downloaded_cert.pem; keytool -import -alias test -file downloaded_cert.pem -keystore downloaded_truststore.jks

HaranKumar · April 5, 2019, 4:54am

Hello @Janko - Kindly let me know any method to fix the above mentioned issue.
how do i use truststore with my self signed URL. I get keytool error: java.lang.Exception: Input not an X.509 certificate

if I use CA cert (.pem) I get below error message in the output field.

{"http_request_failure":{"runtime_seconds":0.014555,"name":"minemeld","request":{"cacert":"/etc/nginx/minemeld.cer","method":"get","url":"https://192.168.56.30/feeds/DARP-output-feedgreen?tr=1&v=json"},"error":"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","backtrace":null},"@version":"1","@timestamp":"2019-04-04T00:44:23.440Z","tags":["_http_request_failure"]}

HaranKumar · April 5, 2019, 3:55pm

Hello @Janko @Badger - kindly help me with the above certificate issue.

HaranKumar · April 7, 2019, 1:44am

Hello All,

Still I could not get resolution for the certificate error on my selfsigned URL. any help would really useful.

@Badger @Janko @A_B

A_B · April 8, 2019, 7:31am

Hi @HaranKumar,

first off, your message board etiquette leaves a lot to be desired. I think Janko and Badger have been members longer than I have and might have stricter personal rules not to reply when directly mentioned. All of us answer voluntarily on questions that are somehow interesting and our knowledge might be of help to others.

Anyway, back to your problem. You are using an IP as the host name. You could generate self-signed SSL certs for that but it is definitely not recommended.

Maybe try e.g. this to generate an SSL cert for a domain name http://www.selfsignedcertificate.com/
If you can't add the domain to DNS you can add the domain to /etc/hosts

If you are doing this on a private network, why do you use HTTPS at all? I know, it is still good practice to always encrypt your traffic but still. Get it working over plain HTTP first and then figure out HTTPS and SSL certs.

HaranKumar · April 8, 2019, 7:52am

Thanks @A_B. - I was not aware of the rule not to directly mention name. Appologies.

Regards,

Haran

A_B · April 8, 2019, 8:04am

I was talking about personal rules when it comes to direct mentions. Generally there is https://www.elastic.co/community/codeofconduct

I did not mean to be rude. Monday morning... Members here are happy to help.

Returning to the technical issue you are having.

curl -Iv https://192.168.56.30 should show you the state of the SSL cert. When you use a self-signed certificate you also have to specify --cacert <CA certificate>

Or you can use openssl. There is no point in expecting Logstash to connect successfully before curl or openssl are successful connecting.

A_B · April 8, 2019, 9:15am

The above might not work so well for this situation as you do not have access to the CA cert... And it seems that there is no option to use http_poller without verifying the SSL cert...

Personally, I would use HTTP unless you have a private CA setup that will let you easily issue new self-signed SSL certs or if you already have a SSL certs from a trusted CA.

system · May 6, 2019, 9:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.