Hey there,
I've been following this guide to get an ELK stack up and running - https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-elk-stack-on-ubuntu-14-04
However, I don't want to set up PKI stuff as defined in the guide (skip to Generate SSL Certificates) - I want to use a public certificate, in this case from Let's Encrypt.
They want me to use this command: sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
So instead I used acme.sh and DNS validation to generate a certificate for my Logstash target - let's call it logstash.company.com - easy, right? Now I have a bunch of certificates:
letsencrypt@elk:~/.acme.sh/logstash.company.com$ ls
ca.cer logstash.company.com.csr
fullchain.cer logstash.company.com.key
logstash.company.com.cer logstash.company.com.ssl.conf
logstash.company.com.conf
In the Logstash config "2-beats-input.conf" (as in the guide) I set ssl_certificate and ssl_key to the keys and cert I just generated:
ssl_certificate => "/etc/logstash/ssl/logstash.company.com.cer"
ssl_key => "/etc/logstash/ssl/logstash.company.com.key"
Logstash appears to act like everything is fine.
Finally, it came time to set up Filebeat and this is where it fell apart.
I copied the cert (logstash.company.com.cer) to another server, which we'll call web1. I configured it as in the guide, and copied the cert to "/etc/pki/tls/certs/logstash-forwarder.crt".
I followed the rest of the guide as-is. I thought it was a little odd, however, that it said to set the certificate as "certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]"
Anyways, I think I've tracked down the issue - regardless of whether or not I set certificate_authorities to the cert, I get this error in Filebeat's logs (I set log level to WARNING):
2016-07-19T13:29:34Z ERR SSL client failed to connect with: x509: certificate signed by unknown authority
It's a standard certificate from Let's Encrypt, which ought to be trusted. Maybe I need to copy ca.cer and use that instead?
Sorry for the sort of rambling text. I'm just tearing my hair out trying to get this to work.
EDIT: I have tried using fullchain.cer instead, but the issue remains - x509: certificate signed by unknown authority. I also double-checked that the cert is using the real CA and not the staging/"fake" CA:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3