how can I enable SSL certificate verification in my logstash pipeline output to elasticsearch? I don't find any documentation on which certificates to use here.
The cluster version is 8.5.3.
Jan 6 12:20:30 LOGSTASH-01 logstash[18785]: [2023-01-06T12:20:30,964][WARN ][logstash.outputs.elasticsearch][init_pipeline] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://logstash_writer:xxxxxx@ELASTIC-01:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://ELASTIC-01:9200/][Manticore::ClientProtocolException] PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors"}
Everything works fine as long as the ssl_certificate_verification is set to false - cluster is healthy, kibana enrolls and pipeline works as intended.
I have configured elasticsearch to use transport certificates generated within my companies PKI and I am also using the auto generated http.p12 keystore and http_ca.crt. As far as I understand logstash uses the elasticsearch http port and not the transport one so the certificate I need for logstash to trust elasticsearch would be the ca certificate from the http configuration "http_ca.crt". However this does not work and I am getting the error message from above.
What did I get wrong? What certificate file in what format does logstash need to establish trust and where do I get it from??
Thank you for your answer @dadiasish.
I had already tried using this certificate but it throws this error:
Jan 6 14:41:28 LOGSTASH-01 logstash[21022]: [2023-01-06T14:41:28,173][WARN ][logstash.outputs.elasticsearch][init_pipeline] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://logstash_writer:xxxxxx@ELASTIC-01:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://ELASTIC-01:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
Jan 6 14:41:28 LOGSTASH-01 logstash[21022]: [2023-01-06T14:41:28,198][INFO ][logstash.outputs.elasticsearch][init_pipeline] Failed to perform request {:message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>Manticore::ClientProtocolException, :cause=>#<Java::JavaxNetSsl::SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>}
The elasticsearch logs are giving me this warning, when I'm using the certificate:
[2023-01-06T15:20:35,414][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [ELASTIC-01] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/172.16.10.55:9200, remoteAddress=/172.16.3.25:58392}
Thank you @Ayush_Mathur.
I can't reproduce all the steps from the blog, because my setup is a bit different. But I tried adapting the instructions and step 4-3 actually fixed my logstash issue!
However this kills the connection between kibana and elasticsearch as I need the http.p12 keystore for the kibana enrollment. (I am using enrollment tokens to automatically enroll kibana)
But thats another issue and I guess if I just manually connect Kibana everything should finally work!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
