Logstash RSS Input Plugin SSL Support

butchkelley · April 5, 2022, 11:24am

Hello,

Does the Logstash RSS Input plugin have the ability to use a specific CA certificate to validate an SSL enabled website? There are no "ca_cert" settings in the docs that I can find.

The specific error I'm getting is:

[date][INFO][logstash.inputs.rss] Polling RSS {:url=>"https://somesite.com/rss/bla.rss"}
[date][ERROR][logstash.javapipeline] A plugin had an unrecoverable error.  Will restart this plugin.
   Pipeline_id:some_rss
   Plugin: <_lots of stuff that doesn't appear to be of much use in troubleshooting this issue_>
   Error: certificate verify failed
   Exception: Faraday::SSLError
.... <_java stack dump_>....

The github case below implies that there are CA certs imbedded in Logstash (or the plugin itself) but we're using our own CA.

github.com/logstash-plugins/logstash-input-rss

logstash-input-rss cant fetch various RSS feeds due to Error: certificate verify failed

opened 03:40PM - 04 Oct 21 UTC

closed 11:26PM - 16 Feb 22 UTC

sthierolf

logstash-input-rss cant fetch various RSS feeds due to Error: certificate verify… failed Checked forum for how-to disable, skip or ignore SSL certificate check. Error for NIST feeds, Debian Security feeds. Looks like Feeds provided by websites running Let's Encrypt. Looks like Ruby or JRuby does SSL different than openssl which might cause this issue? - Version: logstash 7.15.0 - Operating System: Debian 11 Bullseye - Config File: Simple input Filter for NIST NVD feed: ``` input { rss { url => "https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml" interval => 3600 id => "rss-nist-nvd" tags => ["cert", "usa", "nist"] } } ``` - Sample Data: Started with: /usr/share/logstash/bin/logstash --path.settings /etc/logstash --log.level debug ``` [2021-10-04T17:31:51,902][ERROR][logstash.javapipeline ][main][rss-nist-nvd] A plugin had an unrecoverable error. Will restart this plugin. Pipeline_id:main Plugin: <LogStash::Inputs::Rss interval=>3600, id=>"rss-nist-nvd", url=>"https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml", tags=>["cert", "usa", "nist"], enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_059720a1-f3c2-42f3-90ea-d04827ee3035", enable_metric=>true, charset=>"UTF-8">> Error: certificate verify failed Exception: Faraday::SSLError ``` - Steps to Reproduce: Create input filter with above RSS feed URL.

Thanks for your help,
Butch

Badger · April 5, 2022, 5:36pm

Not that I know of. The plugin uses Faraday, and I think that uses jruby-openssl, and that uses Bouncy Castle.

You need to get your CA cert into the Trusted Root Certificate Authorities store. I cannot tell you how to do that.

butchkelley · April 5, 2022, 5:52pm

Thanks Badger,

Unfortunately adding my CA cert to the Trusted Root Certificate Authorities store is not an option as I'm on an isolated network.

Butch

butchkelley · April 5, 2022, 6:17pm

I was able to find a solution. Jruby will use the following environment variable:

SSL_CERT_FILE=/path/to/some_CA_cert.pem

Thanks,
Butch

system · May 3, 2022, 6:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.