Hi, I am trying to use an encrypted private key for a Logstash HTTP Input where both the private key and certificate are stored locally on the server. However, if I encrypt the private key and configure the ssl_key_passphrase, Logstash will not able to read the encrypted private key:
Pipeline error {:pipeline_id=>"main", :exception=>java.lang.IllegalArgumentException: File does not contain valid private key: C:\ELK\logstash-7.10.0\config\Certificates\ca-pkcs8-crypt.key ...
Here is how I created the certificate and private key using Openssl 1.1.1
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -sha256 -out c:\ca.crt
openssl pkcs8 -in ca.key -topk8 -passout pass:somepassword -out ca-pkcs8-crypt.key
openssl pkcs8 -in ca-pkcs8.key -topk8 -passout pass:somepassword -out ca-pkcs8-crypt.key
Here is what the Logstash configuration file looks like
input {
http {
port => 9601 # default: 8080
ssl => true
ssl_certificate => "C:\ELK\logstash-7.10.0\config\Certificates\ca.crt"
ssl_key => "C:\ELK\logstash-7.10.0\config\Certificates\ca-pkcs8-crypt.key"
ssl_key_passphrase => "somepassword"
}
}
If I don't encrypt the private key, HTTPS call will work. Why wouldn't my encrypted private key work, please advise.
Summary
This text will be hidden
As a reference, here is the full stack of the Logstash exception
[2021-05-18T12:36:38,560][ERROR][logstash.javapipeline ][main]
Pipeline error {:pipeline_id=>"main", :exception=>java.lang.IllegalArgumentException: File does not contain valid private key:
C:\ELK\logstash-7.10.0\config\Certificates\ca-pkcs8-crypt.key,
:backtrace=>["io.netty.handler.ssl.SslContextBuilder.keyManager(io/netty/handler/ssl/SslContextBuilder.java:350)",
"io.netty.handler.ssl.SslContextBuilder.forServer(io/netty/handler/ssl/SslContextBuilder.java:107)",
"org.logstash.plugins.inputs.http.util.SslSimpleBuilder.build(org/logstash/plugins/inputs/http/util/SslSimpleBuilder.java:89)",
"jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)",
"jdk.internal.reflect.NativeMethodAccessorImpl.invoke(jdk/internal/reflect/NativeMethodAccessorImpl.java:62)",
"jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(jdk/internal/reflect/DelegatingMethodAccessorImpl.java:43)",
"java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:566)",
"org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(org/jruby/javasupport/JavaMethod.java:426)",
"org.jruby.javasupport.JavaMethod.invokeDirect(org/jruby/javasupport/JavaMethod.java:293)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java.lib.logstash.inputs.http.build_ssl_params(C:/ELK/logstash-7.10.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.5-java/lib/logstash/inputs/http.rb:237)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java.lib.logstash.inputs.http.RUBY$method$build_ssl_params$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/vendor/bundle/jruby/$2_dot_5_dot_0/gems/logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java/lib/logstash/inputs/C:/ELK/logstash-7.10.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.5-java/lib/logstash/inputs/http.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java.lib.logstash.inputs.http.create_http_server(C:/ELK/logstash-7.10.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.5-java/lib/logstash/inputs/http.rb:214)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java.lib.logstash.inputs.http.RUBY$method$create_http_server$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/vendor/bundle/jruby/$2_dot_5_dot_0/gems/logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java/lib/logstash/inputs/C:/ELK/logstash-7.10.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.5-java/lib/logstash/inputs/http.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java.lib.logstash.inputs.http.register(C:/ELK/logstash-7.10.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.5-java/lib/logstash/inputs/http.rb:146)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java.lib.logstash.inputs.http.RUBY$method$register$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/vendor/bundle/jruby/$2_dot_5_dot_0/gems/logstash_minus_input_minus_http_minus_3_dot_3_dot_5_minus_java/lib/logstash/inputs/C:/ELK/logstash-7.10.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.5-java/lib/logstash/inputs/http.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.register_plugins(C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb:228)",
"org.jruby.RubyArray.each(org/jruby/RubyArray.java:1809)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.register_plugins(C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb:227)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$register_plugins$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/logstash_minus_core/lib/logstash/C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.start_inputs(C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb:386)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_inputs$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/logstash_minus_core/lib/logstash/C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.start_workers(C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb:311)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_workers$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/logstash_minus_core/lib/logstash/C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.run(C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb:185)", "C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$run$0$__VARARGS__(C_3a_/ELK/logstash_minus_7_dot_10_dot_0/logstash_minus_core/lib/logstash/C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb)",
"C_3a_.ELK.logstash_minus_7_dot_10_dot_0.logstash_minus_core.lib.logstash.java_pipeline.start(C:/ELK/logstash-7.10.0/logstash-core/lib/logstash/java_pipeline.rb:137)",
"org.jruby.RubyProc.call(org/jruby/RubyProc.java:318)",
"java.lang.Thread.run(java/lang/Thread.java:834)"],
"pipeline.sources"=>["C:/ELK/logstash-7.10.0/config/settings.conf"],
:thread=>"#<Thread:0x52fc7afe run>"}