Logstash SSL beats fail SSLV3_ALERT_BAD_CERTIFICATE

ohkeenan · November 2, 2018, 6:35pm

Hello,

I can connect with openssl s_client just fine but using metricbeat or filebeat fails (v6.4):

Nov 02 11:21:27 elk.***.com logstash[5533]: [2018-11-02T11:21:27,124][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
Nov 02 11:21:27 elk.***.com logstash[5533]: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE
Nov 02 11:21:27 elk.***.com logstash[5533]:         at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
Nov 02 11:21:27 elk.***.com logstash[5533]:         at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
Nov 02 11:21:27 elk.***.com logstash[5533]:         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
Nov 02 11:21:27 elk.***.com logstash[5533]:         at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
Nov 02 11:21:27 elk.***.com logstash[5533]:         at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
Nov 02 11:21:27 elk.***.com logstash[5533]:         at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) ~[netty-all-4.1.18.Final.jar:4.1.18.Final]
...

logstash conf:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/pki/tls/logstash-ca.crt"]
    ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
    ssl_key => "/etc/pki/tls/private/logstash.key"
    ssl_verify_mode => "peer"
  }
}

metricbeat.yml:

output.logstash:
  # The Logstash hosts
  hosts: ["elk.***.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/root/logstash-ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/pki/client/beat.crt"

  # Client Certificate Key
  ssl.key: "/etc/pki/client/beat.key"

openssl s_client connect:

root@optimus:~# openssl s_client -servername elk.***.com -connect elk.***.com:5044 -cert /etc/pki/client/beat.crt -key /etc/pki/client/beat.key -CAfile /etc/pki/root/logstash-ca.crt
CONNECTED(00000003)
depth=1 C = CA, ST = ***, L = ***, O = ***, OU = Elk, CN = elk.***.com, emailAddress = hello@***.com
verify return:1
depth=0 C = CA, ST = ***, L = ***, O = ***, OU = Elk, CN = elk.***.com, emailAddress = hello@***.com
verify return:1
---
Certificate chain
 0 s:/C=CA/ST=***/L=***/O=***/OU=Elk/CN=elk.***.com/emailAddress=hello@***.com
   i:/C=CA/ST=***/L=***/O=***/OU=Elk/CN=elk.***.com/emailAddress=hello@***.com
---
Server certificate
-----BEGIN CERTIFICATE-----
*
-----END CERTIFICATE-----
subject=/C=CA/ST=***/L=***/O=***/OU=Elk/CN=elk.***.com/emailAddress=hello@***.com
issuer=/C=CA/ST=***/L=***/O=***/OU=Elk/CN=elk.***.com/emailAddress=hello@***.com
---
Acceptable client certificate CA names
/C=CA/ST=***/L=***/O=***/OU=Elk/CN=elk.***.com/emailAddress=hello@***.com
Client Certificate Types: RSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:0x04+0x08:RSA+SHA256:ECDSA+SHA384:0x05+0x08:RSA+SHA384:0x06+0x08:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA+SHA256:ECDSA+SHA384:RSA+SHA384:RSA+SHA512:RSA+SHA1
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1786 bytes and written 3013 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FE748F5758146B39C4309B3228395633E487F825C589BD3E554F2CABF183ABC6
    Session-ID-ctx: 
    Master-Key: 22D73CE4760115DE3313083820E1F8B7E945A7EB24249D91C53F3D5F76C1F2035A1B7D862AFE34F3E9AE0931D3E09441
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1541183538
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

ohkeenan · November 3, 2018, 4:47pm

I've now tried creating the keys with both openssl directly and certutil - same result. Help?

/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key ca/ca.key --ca-cert ca/ca.crt -pem

which actually said key is not valid or not in pkcs8 format so:

openssl pkcs8 -in logstash.key -topk8 -nocrypt -out logstash.pk8.key

and I still get SSLV3_ALERT_BAD_CERTIFICATE

system · December 1, 2018, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.