Logstash issues with certificate

Hello,
From a couple of days I'm fighting with certificates for logstash.
Certificate was generated for logstash and filebeat clients but after couple of minutes I'm receiving below errors: in attach
I don't know if this is error with my logstash certificate or certificate by clients with filebeat.

What are params in your SSL section? Do you have permission on cert files?

  1. What is the value of below settings in your Elasticsearch.yml:
xpack.security.transport.ssl.verification_mode:
xpack.security.http.ssl.verification_mode:
  1. What method have you used to create client certs for logstash and filebeat: Elasticsearch-certutil or openssl
  2. Have you signed them with an intermediate / root ?

Hello,
thanks for reply.
Regarding certificates - first of all I'm not shure if this is certificate for logstash or certificate for filebeat clients.
In my environment I'm using logstash with certificates and filebeat using certs to authenticate with logstash.
Regarding certificates I have below configuration (in attach)
Regarding Elasticsearch, I don't see such configuration, I have only:
xpack.security.enabled=true
xpack.security.authc.realms.native.native1.order=0

Please tell me how should look like.
Regarding certs, in logstash, I was using our certificate manager in AWS, but I had errors that logstash could have issues with key, so I red that key should be with pkcs8,
so I used:
openssl pkcs8 -topk8 -inform pem -in key.key -outform pem -nocrypt -out key1.key
but with certificate I didn't do anything
Capture1

regarding SSL - I'm receiving such log warnings:
Handling exception: javax.net.ssl.SSLHandshakeException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE

My bad ! I thought both filebeats and logstash are connecting to Elasticsearch. So in your case filebeats is trying to connect to logstash over SSL and the log you have shared is of logstash I assume ?

what are the ssl settings in your beats input section? esp the ssl_verify_mode ? If you have set this value anything other than none then the certs used by filebeat has to be signed by the CA mentioned within: ssl_certificate_authorities

In that case, also verify that the certs created for filebeat has proper Subject Alternative Names. i.e. they are matching with filebeat server's hostname.

Lastly check the verification_mode parameter within filebeat.yml against the output.logstash section. If this is full or strict then certs created for logstash must have proper Subject Alternative Names. i.e. they must match with logstash server's hostname.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.