Logstash certificate not trusted

Hey there,

For some reason, I can't seem to be able to get my logstash to send trusted certificates to my secured elasticsearch cluster.
My cluster is secured with HTTPS, plus PKI authentication for clients.
I've followed your instructions in https://www.elastic.co/guide/en/shield/current/logstash.html but to no avail. No matter how I try to play with my logstash configuration, my certificates just don't seem to be trusted by my cluster. I've obviously checked, and my certificates work just fine using curl or kibana.
I know my certificate is not trusted since i get these errors:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target - on logstash.
And javax.net.ssl.SSLException: Received fatal alert: certificate_unknown - on elastic.
I've built my logstash keystore using these commands:

openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out logstash.p12 -alias logstash
keytool -importkeystore -srckeystore logstash.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKS -alias logstash
And I obviously made sure my key's password is the same as my keystore's.

I also tried to generate my keystore using only the crt as a trusted certificate using this command:
keytool -importcert -keystore keystore.jks -file logstash.crt -alias logstash
But it didn't work either.

I'm a bit new to the PKI principles but as far as I understand, my first way should have worked just fine,,,

Can you provide your logstash configuration, shield configuration, and the output of keytool -list -v keystore.jks? With that hopefully we'll be able to figure out more of what's going wrong.

I was facing the same issue today but my issue was with Self signed Certificates and i analysed that cacert param was having incorrect cert in logstash ElasticSearch output plugin . You need to copy the ES certs to your Logstash clients and mention the path of server certs in cacert attribute of ES output plugin .

output {
elasticsearch {
ssl => true
cacert =>path to your self signed es server cert pem or Certifying Auth Cert shared by CA.
}

1 Like

For PKI auth I have raised an issue which you can follow here

Logstash configuration:
input {
file {
path => "/tmp/hello_world"
type => "hello_world"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}

output {
if [type] == "hello_world" {
elasticsearch {
host => "xxx.xxx.xxx.xxx"
port => 9200
protocol => "http"
index => "hello_world"
document_type => "hello"
manage_template => false
ssl => true
keystore => "/path/to/keystore"
keystore_password => "changeme"
cacert => "/path/to/cert"
}
}
}

keytool -list -v -keytore /path/to/keystore:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: logstash
Creation date: Oct 18, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=My-AD-group, OU=MyDepartment, O=AcmeInc, C=US
Issuer: CN=OurCA, OU=MyDepartment, O=AcmeInc, C=US
Serial number: SomeHexaCode
Valid from: Wed Jul 08 17:08:35 AKDT 2015 until: Sat Aug 24 17:08:35 AKDT 2017
Certificate fingerprints:
MD5: 55:20:B2:68:FD:0F:4E:BF:D5:E5:D5:04:47:6C:E3:10
SHA1: 25:17:A0:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7:4B:50:FE:E5
SHA256: 25:17:A0:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7:4B:50:FE:E5:CA:86:CC:3E:6C:2D:C0:4E:8D:E8:33:05:F7
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 9.8.9.6.4.3.564.34.12 Criticality=false
0000: 29 8B 7F 4A 53 C3 D6 67 29 8B 7F 4A 53 C3 D6 67 some_map
0010: 29 8B 7F 4A 53 C3 D6 67 29 8B 7F 4A some_map

#2: ObjectId: 9.8.9.6.4.3.564.34.12 Criticality=false
0000: 29 8B 7F 4A 53 C3 D6 67 29 8B 7F 4A 53 C3 D6 67 some_map
0010: 29 8B 7F 4A 53 C3 D6 67 29 8B 7F 4A 53 C3 D6 67 some_map
0020: 29 8B 7F 4A 53 C3 D6 67 29 8B 7F 4A 53 C3 D6 67 some_map
0030: 29 some_map

#3: ObjectId: 9.8.9.6.4.3.564.34.12 Criticality=false
0000: 29 8B 7F 4A 53 C3 D6 67 29 8B 7F 4A 53 C3 D6 67 Acme Service Auth
0010: 29 8B 7F 4A 53 C3 D6 67 29 8B entication

#4: ObjectId: 9.8.9.6.4.3.564.34.12 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://address.of.ca.cert/INFO.crt
,
accessMethod: caIssuers
accessLocation: URIName: http://another.address.of.ca.cert/INFO.crt
]
]

#5: objectid: 9.8.34.12 criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 29 8b 7f 4a 53 c3 d6 67 29 8b 7f 4a 53 c3 d6 67 acme service auth
0010: 29 8b 7f 4a 53 c3 d6 67 29 8b entication
]
]

#6: ObjectId: 9.8.34.12 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://path.ca.crl/INFO.crl, URIName: http://path.to.second.ca.crl/INFO.crl]
]]

#7: ObjectId: 9.8.34.12 Criticality=false
ExtendedKeyUsages [
clientAuth
8.2.3.4.5.6.124.45.64.3.2
]

#8: ObjectId: 9.8.34.12 Criticality=false
KeyUsage [
digitalSignature
Key_Encipherment
]

#9: ObjectId: 9.8.34.12 Criticality=false
SubjectAlternativeName [
Other-Name: Urecognized ObjectIdentifier: 4.2.3.4.5.6.255.63.5.6
]

#10: objectid: 9.8.34.12 criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 29 8b 7f 4a 53 c3 d6 67 29 8b 7f 4a 53 c3 d6 67 some_map
0010: 29 8b 7f 4a 53 c3 d6 67 29 8b some_map
]
]

*******************************************
*******************************************

I currently can't provide my full shield configuration for company security reasons. I'll probably provide parts of it later on.

Hi @blackBagel,

Would you be able to also provide the output from the elasticsearch nodes keystore/truststore? One thing I noticed is that you do not have the issuing cert in your keystore, which can be necessary to build the proper certificate chain to be sent by the transport client.

Thank you so much for everything! I was finally able to solve the problem, after i found out the guy who set things up before me, actually signed the certificates with an inter ca! After that all i had to do was add the inter ca PEM file to the keystore, and set the "cacert" path to it.
Sorry about the long delay...