Logtash to elasticsearch connection error using certificate

akshatBais · October 23, 2019, 12:20pm

ooh !! did : here it is :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1a:00:00:16:20:54:0a:ac:99:8f:a1:34:07:00:01:00:00:16:20
    Signature Algorithm: somealgo
        Issuer: DC=com, DC=abc, CN=abc-INDUS1-CA
        Validity
            Not Before: Feb 27 13:11:26 2019 GMT
            Not After : Feb 26 13:11:26 2021 GMT
        Subject: CN=*.uat.abc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:55:e7:af:ca:61:3c:ab:f3:4a:8e:eb:01:ed:
                    59:9f:6c:65:b1:c4:3f:b9:fb:0b:42:b0:c4:cb:74:
                    27:b2:9b:3a:fe:54:48:93:e4:7a:de:bb:79:88:49:
                    27:68:7a:2c:08:d7:41:19:1f:a0:70:29:99:19:20:
                    ce:ec:ee:7e:96:9f:91:04:e1:bd:c4:bb:6b:f3:c7:
                    b6:a8:c1:bf:ea:f7:fe:57:9d:03:c2:50:a2:cf:1c:
                    92:48:06:4b:22:fb:a4:e2:b8:f1:d0:c8:b9:cc:6f:
                    05:6e:1f:8e:15:85:f9:41:a7:93:fc:64:17:02:62:
                    a9:5d:b7:56:e4:e2:b6:96:c6:19:a6:e9:2d:52:c8:
                    6d:68:a6:5f:8a:60:65:8e:fd:74:1c:12:5a:be:71:
                    6e:3a:7e:9c:87:8d:d6:7a:c8:dd:49:73:67:cf:d0:
                    39:d8:39:a2:b9:da:f1:38:2a:04:98:a5:c0:88:87:
                    9f:44:78:b4:d5:cf:0a:33:d5:ee:0d:58:53:60:65:
                    f1:4e:0d:05:46:d6:be:e3:62:e2:34:a6:46:dd:2d:
                    ad:44:04:05:64:52:2c:a4:87:e2:c0:1b:a5:35:a6:
                    c3:51:e3:3f:73:de:40:a4:10:31:90:4f:a6:27:76:
                    65:15:6c:b8:8d:98:a9:76:70:f5:e9:6e:65:63:46:
                    0e:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                ...W.e.b.S.e.r.v.e.r
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                7A:2B:31:67:79:55:51:D3:F3:E3:A0:9D:2D:04:5F:98:30:5A:4C:95
            X509v3 Subject Alternative Name:
                DNS:*.uat.abc.com
            X509v3 Authority Key Identifier:
                keyid:AC:A1:24:66:4F:62:9E:60:2B:0C:08:57:60:E8:57:E0:18:EF:D7:20

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///CN=abc-INDUS1-CA(1),CN=INDUS1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=abc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=abc-INDUS1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=abc,DC=com?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: somealgo
         2e:0a:05:4a:3b:4d:8d:ed:40:f1:54:88:dd:04:52:87:39:2d:
         bd:1a:89:0b:81:fd:78:49:76:e2:67:5e:3b:c1:94:2e:15:65:
         30:f6:9f:90:ec:61:5f:3c:aa:c2:a6:38:94:a6:cf:7f:ea:c0:
         1a:64:3b:30:23:96:46:43:36:39:54:eb:47:3e:32:e2:cc:21:
         68:35:46:bc:c7:ca:50:6c:72:9c:cc:35:41:a6:73:71:cb:3c:
         d7:d1:32:a5:d5:5c:8d:0f:9f:dd:b8:46:64:df:63:62:21:70:
         c8:52:ee:15:23:9f:b2:91:65:50:fc:19:4e:3a:90:72:a0:1d:
         89:87:ff:19:09:78:c7:6e:9f:30:96:f3:6f:33:ea:ca:cb:0f:
         30:94:ac:3c:0b:ed:44:1f:94:65:00:72:c4:92:b9:c8:10:68:
         a3:5f:8a:1d:0e:79:5e:5e:26:84:df:ea:19:e0:2f:60:f6:f5:
         a5:87:d3:57:6c:ac:d0:bd:d3:bb:2a:2e:7d:b8:93:f1:07:1a:
         a4:8f:6c:7a:95:1c:6b:d5:95:63:5e:e0:19:f3:7e:de:f1:dc:
         0e:a1:67:fb:92:82:12:1c:ea:e0:2c:82:db:0f:ba:89:63:58:
         32:77:af:95:63:56:06:c6:6f:cf:57:18:98:fa:e4:f0:bd:80:
         72:a5:95:09

Can you give me some direction , why is that it is required ? or some reference or link ?

ikakavas · October 23, 2019, 2:15pm

I meant the information you shared with us is not enough, not that the certificate is not enough.

Your certfiicate looks fine

X509v3 Subject Alternative Name:
                DNS:*.uat.abc.com

so I have no additional ideas on why this fails. I'll leave it to Logstash folks to add any insights/recommendations.

akshatBais · October 24, 2019, 5:59am

@ikakavas @Mike_Place thankyou both for your time and efforts .
I finally managed to do :
using these two fields in my output I could finally connect to my elasticsearch instance.

ssl => true
ssl_certificate_verification => false

ikakavas · October 24, 2019, 6:17am

ssl_certificate_verification => false

@akshatBais I just want to make sure that you are explicitly aware that this configuration is insecure. Our documentation describes why

system · November 21, 2019, 6:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash.licensechecker.licensereader error when enable SSL between logstash and elasticsearch Logstash	2	6857	November 8, 2019
Logstash is unable to connect to ES for Monitoring due to bad certificate Logstash	2	2887	February 18, 2020
Logstash not working with https elastic search output Logstash elastic-stack-security	5	1766	August 13, 2019
Error when config logstash to connect to elasticsearch with TLS basic security Logstash elastic-stack-security	1	515	March 23, 2022
The connection between Logstash and Elasticsearch is not working Logstash	2	598	August 16, 2023

Logtash to elasticsearch connection error using certificate

Related topics