Logstash (5.4.2) / Winlogbeat / SSL - File does not contain valid private key


#1

Hello -- We are attempting to implement SSL for Logstash (5.4.2) / Winlogbeat as per Securing Communication With Logstash by Using SSL. Just focusing on the server-side SSL for now; client-side / mutual authentication is our ultimate objective.

Any ideas on how to resolve this error?

[2017-07-31T12:50:06,702][ERROR][logstash.inputs.beats ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/logstash/ssl/logstash.p8}

Using OpenSSL (1.1.0f) with default configuration file to create certificate and private key as well as to convert the private key to PKCS8 format:

openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout logstash.key -out logstash.crt
openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.p8

-rw-r--r-- 1 root root 1233 Jul 31 12:46 logstash.crt
-rw------- 1 root root 1704 Jul 31 12:46 logstash.key
-rw------- 1 root root 1704 Jul 31 12:46 logstash.p8


The logstash configuration file (/etc/logstash/conf.d/inputConfig.conf) contains the following entries:

input {
  beats {
    port => 5044
    type => "%{[@metadata][beat]}"
    ssl => true
    ssl_certificate => "/etc/logstash/ssl/logstash.crt"
    ssl_key => "/etc/logstash/ssl/logstash.p8"
  }
}

The certificate / key contents:

openssl x509 -in logstash.crt -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:ad:07:a0:00:ca:2c:ea
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Validity
            Not Before: Jul 31 11:46:07 2017 GMT
            Not After : Jul 29 11:46:07 2027 GMT
        Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:be:0b:81:c4:aa:95:40:b9:af:e5:38:71:77:
                    [snip]
                    49:db:32:df:35:81:77:5f:ce:bf:2b:59:e9:66:8a:
                    b1:8b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                2E:D5:9B:4D:A1:68:E5:13:BC:AC:20:91:27:52:4E:80:B2:F3:C2:A5
            X509v3 Authority Key Identifier:
                keyid:2E:D5:9B:4D:A1:68:E5:13:BC:AC:20:91:27:52:4E:80:B2:F3:C2:A5

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         [snip]
         4a:81:80:35
-----BEGIN CERTIFICATE-----
MIIDYDCCAkigAwIBAgIJAOWtB6AAyizqMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTcwNzMxMTE0NjA3WhcNMjcwNzI5MTE0NjA3WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAub4LgcSqlUC5r+U4cXdgJNakLGUDnhNNK9z9QOzy1Sy0zZ1Dkh1Ae9A3
viRs2lNv6PPTHWOheMPoY3duzdQUPHTuBSlISv5AhQ+bYNdJOZMQDpkxM0wh3V1Y
tVMrhwCNbXbSEbYlLOLgxy74Khiky2kHUa36jj/Q2Pn9tTzGmTr2wEm7IujixUUY
/qcy7G2LblohIWUH2REw4656iPD7ZVFJyfQdeB2rOPxbfB9mm17HuIpLP7Du4yUH
kuY1zmPKZpUEk+0voBb7XMjiuX63JwAE4n9dpHn4bpOBxWkycFZTUeiSVGEoIXoY
oNJs3g9J2zLfNYF3X86/K1npZoqxiwIDAQABo1MwUTAdBgNVHQ4EFgQULtWbTaFo
5RO8rCCRJ1JOgLLzwqUwHwYDVR0jBBgwFoAULtWbTaFo5RO8rCCRJ1JOgLLzwqUw
DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAE/Bcq5Ovz3xSB1ck
mnC2vIeLLgTUU81b1TCJW+WBbK8o347v4gbCiB3Q9rfajFo7gXeeUlj9vmWdN3p1
VehdZvYeuX27nfYWM41QdcwX8Gxp3GSTppvl/nIWTtCdwXogBLpmMC82hzrKF7wk
IwkXW9VlEjgVOq5nquNkdDgB7T6CH+ADokczi5da8oaEfNTuKCgCavYYsSdZavrg
CrNAdQr+44IK7F63ZwTdX9HaOBsFqoke7IlIsNQzDQraReSkZgAoHfRWAR7XXwdQ
QWqpK6he0ZoiCpmGfeKFobInF8Gpy8Fp6NbJmwhAXn1HeroR+FLIIhod/0mW4Uff
SoGANQ==
-----END CERTIFICATE-----

openssl rsa -check -in logstash.p8

RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAub4LgcSqlUC5r+U4cXdgJNakLGUDnhNNK9z9QOzy1Sy0zZ1D
kh1Ae9A3viRs2lNv6PPTHWOheMPoY3duzdQUPHTuBSlISv5AhQ+bYNdJOZMQDpkx
M0wh3V1YtVMrhwCNbXbSEbYlLOLgxy74Khiky2kHUa36jj/Q2Pn9tTzGmTr2wEm7
IujixUUY/qcy7G2LblohIWUH2REw4656iPD7ZVFJyfQdeB2rOPxbfB9mm17HuIpL
P7Du4yUHkuY1zmPKZpUEk+0voBb7XMjiuX63JwAE4n9dpHn4bpOBxWkycFZTUeiS
VGEoIXoYoNJs3g9J2zLfNYF3X86/K1npZoqxiwIDAQABAoIBAD2qaKuWnYObz4ok
Mc8J8POKB0tt5fuPMOnFHpd1k1FO3F//PDXAXG4+vKL1+OWrGdZfTNHPCAbOE9Mi
DblsFaPUtkkkYYn0S3thqRZHo1noB0axeXIsbnnNyeu5RxQ1DL8w2aFjtYfncvTu
FRn0wJF/txxZBHxBl5bRuHd5S/4G0qZMtTG5icFygS2n4Lz+kn8kW3XvhSZxi3Cc
2CWszDoIGC38FwYVDhEYaxJurxSdvv01iB1hvBKsRwJFApP45Dqa5cClM9Jp4x/X
fUOvZJ2HoIu/j8EyfhS700mun2XqyCizohkH0yNBgvOp7AbNfWMZ2GOBlalGxfsF
bo39mcECgYEA2mn5fsJJd84WZU4luuyJiBPex6CX8ucvfWyaOyLLGotOiHs6Cshn
smVKfKPaxhjyEa0uDBLFi+XrvRnhcqxWKoBOfiOKfzEDxAHosxmDEyOW4vqrRo+p
3GrTq/1LrJ7A13uYrDNn5B9f/EOGr3LtaSH+1wzWLdpM4ClxCYdUjpsCgYEA2bTA
0R2Mkz1x1IOeXGMDhyI1MeVjFTRBi+gfFjZwNznr81WwY8AokampZauzv7JxYABv
gOl0y0C1TllYShM2BqTwRxjuUe+DibH1eBafFmOy8zntyuCL4FkBXsnPhsDr5AqB
8PINejBPdFXNcxjlKgRxVm65EB4s0C9bJhjQn9ECgYAvweBWATGDSsLG3/GMD9B6
uq2JxOm0qSxPJoIK0C7M3Q0M9rTYSr2x2kgRPNrHWgkEKHPbG/eqAVosfQ44vsoQ
fQGsvyS3bwY9w5UYJEnu02dYtirhQOSJV6p0/uufEQ9ljpbxgEQFM38Pb8xxbJXQ
2SgZ6aqjWApbMXSP+tFYZQKBgFGjdqr0acLNR+JpePksKCaErW4Ilx9ceTf906qA
v5P2JIUbnQnLBWuaM+vsd3trbxiRET9GTIXrvhGjb3hXu+rB71i6AKS5LJp2IZbm
5MGAoZqUHpf1nH6E4f6pryjZL5xUVGYGXwdzFliJ1IFU1JrtD5NZ8gwZRLTNDWE7
7QABAoGAKc8oTO0hlTMJhxj4NJudaqxPCSAuPxo5NnNtCXa7eI7pRB0KLn0fIVO7
WLtqkeDipUVNtjC5eGrrj80bvg/WoNsrEfBFTl+por8VUkohEUbVbgTCwluHK0ys
Ju9PoAgKOC7Ce8OOdbKYCAv2h0Rn94ZJVxAi6ejQfp91SMLod3w=
-----END RSA PRIVATE KEY-----

root@Logstash1:/usr/share/logstash# bin/logstash --version
logstash 5.4.2

root@Logstash1:/usr/share/logstash# openssl version
OpenSSL 1.1.0f 25 May 2017


#2

A co-worker discovered that OpenSSL 1.1.0f on our Debian 9 (Stretch) Logstash server box (Debian 4.9.30-2+deb9u1 (2017-06-18) x86_64) was the source of our SSL certificate/key problem.

Another co-worker created the necessary certificates and keys on a different Debian 8 (Jessie) box with OpenSSL 1.0.1t and copied the certificates/keys to our Debian 9 (Stretch) Logstash server. We no longer see the errors reported in this issue.

Companion issue: PKI between Logstash and Winlogbeat


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.