Logstash and PKCS#12 format

ManuelF · August 26, 2020, 6:07pm

Hi,

*Running ELK 7.9

I am in the process of securing my ELK nodes and I have been struggling with the security settings for the last few days. After spending some time on this, I finally have Elasticsearch and Kibana configured for secure connection and both using certificates in PKCS#12 format.

Most of the documentation found around the web explain how to configure Kibana to use only PEM format, and so with Logstash, but I was wondering if like Kibana, Logstash is now able to handle PKCS#12. I would like to use the PKCS#12 format (if possible) to make my config simpler.

Is Logstash now able to handle PKCS#12 format?
If YES, please help me with the right steps and config sample.

Documentation used

https://www.elastic.co/guide/en/elasticsearch/reference/7.9/configuring-tls.html#tls-http
https://www.elastic.co/guide/en/logstash/current/ls-security.html

Thank you

*This is the current config that I am trying , but not working so far....

My truststore is not password protected at the moment (password is an empty string)

logstash.yml

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.hosts: ["https://localhost:9200"]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "*******************"
xpack.monitoring.elasticsearch.ssl.truststore.path: "/etc/logstash/certs/elastic-certificates.p12"
xpack.monitoring.elasticsearch.ssl.keystore.path: "/etc/logstash/certs/elastic-certificates.p12"
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

Pipeline config file

 output {
       elasticsearch {
        hosts => "https://127.0.0.1:9200"
        index => "[some index]"
        template_overwrite => true
        template => "[some template]"
        user => "logstash_internal"
        password => "******************"
        keystore => "/etc/logstash/certs/elastic-certificates.p12"
        truststore => "/etc/logstash/certs/elastic-certificates.p12"
        }
 }

Log output

[2020-08-26T13:13:14,528][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.9.0", "jruby.version"=>"jruby 9.2.12.0 (2.5.7) 2020-07-01 db01a49ba6 OpenJDK 64-Bit Server VM 11.0.8+10-post-Debian-1deb10u1 on 11.0.8+10-post-Debian-1deb10u1 +indy +jit [linux-x86_64]"}
[2020-08-26T13:13:15,912][ERROR][logstash.licensechecker.licensereader] Unable to retrieve license information from license server {:message=>"undefined method `toCharArray' for nil:NilClass"}
[2020-08-26T13:13:15,948][ERROR][logstash.monitoring.internalpipelinesource] Failed to fetch X-Pack information from Elasticsearch. This is likely due to failure to reach a live Elasticsearch cluster.
[2020-08-26T13:13:19,009][INFO ][org.reflections.Reflections] Reflections took 30 ms to scan 1 urls, producing 22 keys and 45 values
[2020-08-26T13:13:19,631][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2020-08-26T13:13:19,848][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2020-08-26T13:13:24,903][INFO ][logstash.runner          ] Logstash shut down.
[2020-08-26T13:13:24,922][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

ManuelF · August 27, 2020, 7:25pm

Update

I have been trying the PEM/CRT format. I keep the certificate in .pk12 format that works great for Elasticsearch and Kibana, and then extract the cert and key in PEM format for Logstash.

For key

sudo openssl pkcs12 -in /etc/elasticsearch/certs/elastic-stack-ca.p12 -out /etc/elasticsearch/certs/elastic-stack-ca.key -nodes -nocerts

For cert

sudo openssl pkcs12 -in /etc/elasticsearch/certs/elastic-stack-ca.p12 -out /etc/elasticsearch/certs/elastic-stack-ca-public.crt -nokeys
sudo openssl pkcs12 -in /etc/elasticsearch/certs/elastic-stack-ca.p12 -out /etc/elasticsearch/certs/elastic-stack-ca-public.pem -clcerts -nokeys -chain

Logstash is able to connect to Elasticsearch for monitoring and to process the pipelines using a security certificate (either .cert or .pem), but only if I disable the verification in both settings:

logstash.yml

xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

Pipeline config file

ssl_certificate_verification => false

So, Logstash seems to be working with the certificates (somehow), but I get warnings due to the verification being disabled, which is risky:

[2020-08-27T15:07:08,081][WARN ][logstash.outputs.elasticsearch][main] ** WARNING ** Detected UNSAFE options in elasticsearch output configuration!
** WARNING ** You have enabled encryption but DISABLED certificate verification.
** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true

Am I doing something wrong?
I would like to use .pk12 format for all configs, but it looks like Logstash can't handle that format yet. So for this one I have to use the other format, but I would like to use at least the minimal verification.

Can someone help me?

Thank you

ManuelF · August 27, 2020, 8:05pm

Update

This thread describes my issue as I'm having the same issue with the "CN=instance", but I am running Elasticsearch, Kibana and Logstash on the same machine, and users access Kibana by IP address (https://IP_address:5601), so I don't have a FQDM.

Logstash connects to Elasticsearch using localhost or 127.0.0.1

xpack.monitoring.elasticsearch.hosts: ["https://127.0.0.1:9200"]

elasticsearch {
     hosts => "https://127.0.0.1:9200"

What should I put after --dns? Should I use the IP address when generating the cert?

bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns IP_address

Thank you

system · September 24, 2020, 8:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.