I'm struggling to get the http_poller working with a piece of equipment running a self signed cert. I've created the cert with the following command openssl s_client -showcerts -connect 192.168.1.35:443 </dev/null 2>/dev/null|openssl x509 -outform PEM > downloaded_cert.pem; keytool -import -alias test -file downloaded_cert.pem -keystore downloaded_truststore.jks
Logstash generates the following error "error" => "Host name '192.168.1.35' does not match the certificate subject provided by the peer (CN=*.device.maker.com, OU=maker, O=\"maker, INC.\", L=somewhere, ST=somewhere, C=US)"
I know very little about certificates but it looks like the error is caused by the device having 192.168.1.35 assigned as its IP but the cert having a wildcard for *.device.maker.com?
Is there any way to work around this? Changing the cert is not possible. curl -k works fine but it seems such an option is not available for the http_poller.
Can you connect to the device via a domain name that matches? A potential workaround could be to add an entry in your machine's host file pointing to that IP if you don't have a real DNS entry for it.
The http_poller input plugin does not presently have an option to ignore certificate validation.
I did try adding 192.168.1.35 device.maker.com to the hosts file of the device running logstash but that gave me the same error. Maybe I did something wrong, I'll give that another try.
Generally, SSL certs contain hostnames, not IPs. Try using the hostname of the device, may not work though. I haven't done much of anything with Java keystores so I don't quite know where this error is at in the process but you probably need to import the self-signed cert into the Java keystore.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
