Logstash is unable to connect to ES for Monitoring due to bad certificate

Hi guys,

I cannot see my logstash node in Kibana because it cannot connect to elasticsearch due to bad certificate:

[2020-01-21T08:26:01,246][ERROR][logstash.licensechecker.licensereader] Unable to retrieve license information from license server {:message=>"Elasticsearch Unreachable: [https://logstash_system:xxxxxx@elastic01.node.com:9200/][Manticore::ClientProtocolException] Received fatal alert: bad_certificate"}
[2020-01-21T08:26:01,314][ERROR][logstash.monitoring.internalpipelinesource] Failed to fetch X-Pack information from Elasticsearch. This is likely due to failure to reach a live Elasticsearch cluster.
[2020-01-21T08:26:05,378][WARN ][logstash.outputs.elasticsearch][logstash-filebeat] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://logstash_internal:xxxxxx@elastic01.node.com:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://logstash_internal:xxxxxx@elastic01.node.com:9200/][Manticore::ClientProtocolException] PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors"}

my elasticsearch.yml:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /certs/elastic01.key 
xpack.security.transport.ssl.certificate: /certs/elastic01.crt
xpack.security.transport.ssl.certificate_authorities: [ "/certs/ca.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: required
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /certs/elastic01.key 
xpack.security.http.ssl.certificate: /certs/elastic01.crt
xpack.security.http.ssl.certificate_authorities: [ "/certs/ca.crt" ]

logstash.yml:

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: password
xpack.monitoring.elasticsearch.hosts: ["elastic01.node.com:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: /certs/ca/ca.crt
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

I assume, because I have set xpack.security.http.ssl.client_authentication: required I must provide logstash key and logstash cert in the logstash.yml. Am I assuming right?

But I am not able to find a documentation how to provide this information (key/crt) in logstash.yml.

Do you have any suggestions how I can solve the problem?

PS: I have created all certificates and ca in accordance to this guide: https://www.elastic.co/blog/configuring-ssl-tls-and-https-to-secure-elasticsearch-kibana-beats-and-logstash

Ok, it looks that for logstash client authentication towards elasticsearch its mandatory to use jks (java key store). I have created a jks out of existing crt and key files and not it works.

Due to lack of understanding this topic I would like to know (from security perspective) if I am actualy doing the right thing by force clients to provide key and certificates in order to authenticate towards elasticsearch

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.