Hello -- We are attempting to implement SSL for Logstash (5.4.2) / Winlogbeat as per Securing Communication With Logstash by Using SSL. Just focusing on the server-side SSL for now; client-side / mutual authentication is our ultimate objective.
Any ideas on how to resolve this error?
[2017-07-31T12:50:06,702][ERROR][logstash.inputs.beats ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/logstash/ssl/logstash.p8}
Using OpenSSL (1.1.0f) with default configuration file to create certificate and private key as well as to convert the private key to PKCS8 format:
openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout logstash.key -out logstash.crt
openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.p8
-rw-r--r-- 1 root root 1233 Jul 31 12:46 logstash.crt
-rw------- 1 root root 1704 Jul 31 12:46 logstash.key
-rw------- 1 root root 1704 Jul 31 12:46 logstash.p8
The logstash configuration file (/etc/logstash/conf.d/inputConfig.conf) contains the following entries:
input {
beats {
port => 5044
type => "%{[@metadata][beat]}"
ssl => true
ssl_certificate => "/etc/logstash/ssl/logstash.crt"
ssl_key => "/etc/logstash/ssl/logstash.p8"
}
}
The certificate / key contents:
openssl x509 -in logstash.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e5:ad:07:a0:00:ca:2c:ea
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Validity
Not Before: Jul 31 11:46:07 2017 GMT
Not After : Jul 29 11:46:07 2027 GMT
Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b9:be:0b:81:c4:aa:95:40:b9:af:e5:38:71:77:
[snip]
49:db:32:df:35:81:77:5f:ce:bf:2b:59:e9:66:8a:
b1:8b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2E:D5:9B:4D:A1:68:E5:13:BC:AC:20:91:27:52:4E:80:B2:F3:C2:A5
X509v3 Authority Key Identifier:
keyid:2E:D5:9B:4D:A1:68:E5:13:BC:AC:20:91:27:52:4E:80:B2:F3:C2:A5
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[snip]
4a:81:80:35
-----BEGIN CERTIFICATE-----
MIIDYDCCAkigAwIBAgIJAOWtB6AAyizqMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzMxMTE0NjA3WhcNMjcwNzI5MTE0NjA3WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAub4LgcSqlUC5r+U4cXdgJNakLGUDnhNNK9z9QOzy1Sy0zZ1Dkh1Ae9A3
viRs2lNv6PPTHWOheMPoY3duzdQUPHTuBSlISv5AhQ+bYNdJOZMQDpkxM0wh3V1Y
tVMrhwCNbXbSEbYlLOLgxy74Khiky2kHUa36jj/Q2Pn9tTzGmTr2wEm7IujixUUY
/qcy7G2LblohIWUH2REw4656iPD7ZVFJyfQdeB2rOPxbfB9mm17HuIpLP7Du4yUH
kuY1zmPKZpUEk+0voBb7XMjiuX63JwAE4n9dpHn4bpOBxWkycFZTUeiSVGEoIXoY
oNJs3g9J2zLfNYF3X86/K1npZoqxiwIDAQABo1MwUTAdBgNVHQ4EFgQULtWbTaFo
5RO8rCCRJ1JOgLLzwqUwHwYDVR0jBBgwFoAULtWbTaFo5RO8rCCRJ1JOgLLzwqUw
DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAE/Bcq5Ovz3xSB1ck
mnC2vIeLLgTUU81b1TCJW+WBbK8o347v4gbCiB3Q9rfajFo7gXeeUlj9vmWdN3p1
VehdZvYeuX27nfYWM41QdcwX8Gxp3GSTppvl/nIWTtCdwXogBLpmMC82hzrKF7wk
IwkXW9VlEjgVOq5nquNkdDgB7T6CH+ADokczi5da8oaEfNTuKCgCavYYsSdZavrg
CrNAdQr+44IK7F63ZwTdX9HaOBsFqoke7IlIsNQzDQraReSkZgAoHfRWAR7XXwdQ
QWqpK6he0ZoiCpmGfeKFobInF8Gpy8Fp6NbJmwhAXn1HeroR+FLIIhod/0mW4Uff
SoGANQ==
-----END CERTIFICATE-----
openssl rsa -check -in logstash.p8
RSA key ok writing RSA key -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEAub4LgcSqlUC5r+U4cXdgJNakLGUDnhNNK9z9QOzy1Sy0zZ1D kh1Ae9A3viRs2lNv6PPTHWOheMPoY3duzdQUPHTuBSlISv5AhQ+bYNdJOZMQDpkx M0wh3V1YtVMrhwCNbXbSEbYlLOLgxy74Khiky2kHUa36jj/Q2Pn9tTzGmTr2wEm7 IujixUUY/qcy7G2LblohIWUH2REw4656iPD7ZVFJyfQdeB2rOPxbfB9mm17HuIpL P7Du4yUHkuY1zmPKZpUEk+0voBb7XMjiuX63JwAE4n9dpHn4bpOBxWkycFZTUeiS VGEoIXoYoNJs3g9J2zLfNYF3X86/K1npZoqxiwIDAQABAoIBAD2qaKuWnYObz4ok Mc8J8POKB0tt5fuPMOnFHpd1k1FO3F//PDXAXG4+vKL1+OWrGdZfTNHPCAbOE9Mi DblsFaPUtkkkYYn0S3thqRZHo1noB0axeXIsbnnNyeu5RxQ1DL8w2aFjtYfncvTu FRn0wJF/txxZBHxBl5bRuHd5S/4G0qZMtTG5icFygS2n4Lz+kn8kW3XvhSZxi3Cc 2CWszDoIGC38FwYVDhEYaxJurxSdvv01iB1hvBKsRwJFApP45Dqa5cClM9Jp4x/X fUOvZJ2HoIu/j8EyfhS700mun2XqyCizohkH0yNBgvOp7AbNfWMZ2GOBlalGxfsF bo39mcECgYEA2mn5fsJJd84WZU4luuyJiBPex6CX8ucvfWyaOyLLGotOiHs6Cshn smVKfKPaxhjyEa0uDBLFi+XrvRnhcqxWKoBOfiOKfzEDxAHosxmDEyOW4vqrRo+p 3GrTq/1LrJ7A13uYrDNn5B9f/EOGr3LtaSH+1wzWLdpM4ClxCYdUjpsCgYEA2bTA 0R2Mkz1x1IOeXGMDhyI1MeVjFTRBi+gfFjZwNznr81WwY8AokampZauzv7JxYABv gOl0y0C1TllYShM2BqTwRxjuUe+DibH1eBafFmOy8zntyuCL4FkBXsnPhsDr5AqB 8PINejBPdFXNcxjlKgRxVm65EB4s0C9bJhjQn9ECgYAvweBWATGDSsLG3/GMD9B6 uq2JxOm0qSxPJoIK0C7M3Q0M9rTYSr2x2kgRPNrHWgkEKHPbG/eqAVosfQ44vsoQ fQGsvyS3bwY9w5UYJEnu02dYtirhQOSJV6p0/uufEQ9ljpbxgEQFM38Pb8xxbJXQ 2SgZ6aqjWApbMXSP+tFYZQKBgFGjdqr0acLNR+JpePksKCaErW4Ilx9ceTf906qA v5P2JIUbnQnLBWuaM+vsd3trbxiRET9GTIXrvhGjb3hXu+rB71i6AKS5LJp2IZbm 5MGAoZqUHpf1nH6E4f6pryjZL5xUVGYGXwdzFliJ1IFU1JrtD5NZ8gwZRLTNDWE7 7QABAoGAKc8oTO0hlTMJhxj4NJudaqxPCSAuPxo5NnNtCXa7eI7pRB0KLn0fIVO7 WLtqkeDipUVNtjC5eGrrj80bvg/WoNsrEfBFTl+por8VUkohEUbVbgTCwluHK0ys Ju9PoAgKOC7Ce8OOdbKYCAv2h0Rn94ZJVxAi6ejQfp91SMLod3w= -----END RSA PRIVATE KEY-----
root@Logstash1:/usr/share/logstash# bin/logstash --version
logstash 5.4.2
root@Logstash1:/usr/share/logstash# openssl version
OpenSSL 1.1.0f 25 May 2017