Logstash lumberjack to beats certificate unknown


We're using Logstash 7.12, we want to use the lumberjack output plugin to relay traffic to the Beats input of another Logstash instance (also 7.12).

When using a self-signed certificate (identical on both sides) this communication works. However we operate our own internal CA that issues, revokes and rotates certificates at regular intervals (a feature that works well with Elasticsearch) so we would like to use that facility.

The CA issues a certificate / key pair and issuing CA bundle to each server (different cert / key pair per server). Lumberjack output uses the certificate, beats side uses its own cert / key pair and ca_bundle.

The receiving beats logstash starts fine and waits for input but when the lumberjack side fires up we get the error:

All hosts unavailable, sleeping {:hosts=>["x.x.x.x"], :e=>#<OpenSSL::SSL::SSLError: certificate verify failed>

On the beats input side Logstash errors with:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown)

Looking through the forum and other similar problems with lumberjack we've tried setting the lumberjack certificate to be the signing CA cert instead as well as the intermediate chain and get the same error. We've also tried copying the cert / key pair from lumberjack to beats side so they're identical on each side but to no avail.

Is this a bug or are we doing something fundamentally wrong?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.