Logstash TCP/SSL | General OpenSslEngine problem


(ahd.slei) #1

Hi,
I'm forwarding logs from logstash to logstash using tcp output/input plugins over SSL.
on the client side i use this config in the output:

tcp{
			host => "logstash01.domain.tld"
			port => 8443
			codec => json_lines			
			ssl_enable => true
			ssl_cacert => "/etc/logstash/certs/ca.cer"
			ssl_cert => "/etc/logstash/certs/client.cer"
			ssl_key => "/etc/logstash/certs/client.key"
		}

and this on the server input:

tcp {
		port => "8443"
		codec => json_lines
		ssl_enable => true
		ssl_extra_chain_certs => ["/etc/logstash/certs/ca.cer"]
		ssl_cert => "/etc/logstash/certs/logstash01.cer"
		ssl_key => "/etc/logstash/certs/logstash01.key"
	}

the problem is that i'm getting this exception on the client:
`

SSL Error {:exception=>#<OpenSSL::SSL::SSLError: Received fatal alert: internal_error>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:266:in connect'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-tcp-5.0.3/lib/logstash/outputs/tcp.rb:179:inblock in connect'", ...... trimmed

and this on the server:

[ERROR][logstash.inputs.tcp ] Error in Netty pipeline: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem

The goal is to achieve mutual authentication. anyone can help?
thank you

PS: the certificates are self-signed


(LCF) #2

I think you should replace ssl_extra_chain_certs with ssl_certificate_authorities