Logtash to elasticsearch connection error using certificate

akshatBais · October 23, 2019, 12:20pm

ooh !! did : here it is :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1a:00:00:16:20:54:0a:ac:99:8f:a1:34:07:00:01:00:00:16:20
    Signature Algorithm: somealgo
        Issuer: DC=com, DC=abc, CN=abc-INDUS1-CA
        Validity
            Not Before: Feb 27 13:11:26 2019 GMT
            Not After : Feb 26 13:11:26 2021 GMT
        Subject: CN=*.uat.abc.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:55:e7:af:ca:61:3c:ab:f3:4a:8e:eb:01:ed:
                    59:9f:6c:65:b1:c4:3f:b9:fb:0b:42:b0:c4:cb:74:
                    27:b2:9b:3a:fe:54:48:93:e4:7a:de:bb:79:88:49:
                    27:68:7a:2c:08:d7:41:19:1f:a0:70:29:99:19:20:
                    ce:ec:ee:7e:96:9f:91:04:e1:bd:c4:bb:6b:f3:c7:
                    b6:a8:c1:bf:ea:f7:fe:57:9d:03:c2:50:a2:cf:1c:
                    92:48:06:4b:22:fb:a4:e2:b8:f1:d0:c8:b9:cc:6f:
                    05:6e:1f:8e:15:85:f9:41:a7:93:fc:64:17:02:62:
                    a9:5d:b7:56:e4:e2:b6:96:c6:19:a6:e9:2d:52:c8:
                    6d:68:a6:5f:8a:60:65:8e:fd:74:1c:12:5a:be:71:
                    6e:3a:7e:9c:87:8d:d6:7a:c8:dd:49:73:67:cf:d0:
                    39:d8:39:a2:b9:da:f1:38:2a:04:98:a5:c0:88:87:
                    9f:44:78:b4:d5:cf:0a:33:d5:ee:0d:58:53:60:65:
                    f1:4e:0d:05:46:d6:be:e3:62:e2:34:a6:46:dd:2d:
                    ad:44:04:05:64:52:2c:a4:87:e2:c0:1b:a5:35:a6:
                    c3:51:e3:3f:73:de:40:a4:10:31:90:4f:a6:27:76:
                    65:15:6c:b8:8d:98:a9:76:70:f5:e9:6e:65:63:46:
                    0e:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.20.2:
                ...W.e.b.S.e.r.v.e.r
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                7A:2B:31:67:79:55:51:D3:F3:E3:A0:9D:2D:04:5F:98:30:5A:4C:95
            X509v3 Subject Alternative Name:
                DNS:*.uat.abc.com
            X509v3 Authority Key Identifier:
                keyid:AC:A1:24:66:4F:62:9E:60:2B:0C:08:57:60:E8:57:E0:18:EF:D7:20

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///CN=abc-INDUS1-CA(1),CN=INDUS1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=abc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint

            Authority Information Access:
                CA Issuers - URI:ldap:///CN=abc-INDUS1-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=abc,DC=com?cACertificate?base?objectClass=certificationAuthority

    Signature Algorithm: somealgo
         2e:0a:05:4a:3b:4d:8d:ed:40:f1:54:88:dd:04:52:87:39:2d:
         bd:1a:89:0b:81:fd:78:49:76:e2:67:5e:3b:c1:94:2e:15:65:
         30:f6:9f:90:ec:61:5f:3c:aa:c2:a6:38:94:a6:cf:7f:ea:c0:
         1a:64:3b:30:23:96:46:43:36:39:54:eb:47:3e:32:e2:cc:21:
         68:35:46:bc:c7:ca:50:6c:72:9c:cc:35:41:a6:73:71:cb:3c:
         d7:d1:32:a5:d5:5c:8d:0f:9f:dd:b8:46:64:df:63:62:21:70:
         c8:52:ee:15:23:9f:b2:91:65:50:fc:19:4e:3a:90:72:a0:1d:
         89:87:ff:19:09:78:c7:6e:9f:30:96:f3:6f:33:ea:ca:cb:0f:
         30:94:ac:3c:0b:ed:44:1f:94:65:00:72:c4:92:b9:c8:10:68:
         a3:5f:8a:1d:0e:79:5e:5e:26:84:df:ea:19:e0:2f:60:f6:f5:
         a5:87:d3:57:6c:ac:d0:bd:d3:bb:2a:2e:7d:b8:93:f1:07:1a:
         a4:8f:6c:7a:95:1c:6b:d5:95:63:5e:e0:19:f3:7e:de:f1:dc:
         0e:a1:67:fb:92:82:12:1c:ea:e0:2c:82:db:0f:ba:89:63:58:
         32:77:af:95:63:56:06:c6:6f:cf:57:18:98:fa:e4:f0:bd:80:
         72:a5:95:09

Can you give me some direction , why is that it is required ? or some reference or link ?

ikakavas · October 23, 2019, 2:15pm

I meant the information you shared with us is not enough, not that the certificate is not enough.

Your certfiicate looks fine

X509v3 Subject Alternative Name:
                DNS:*.uat.abc.com

so I have no additional ideas on why this fails. I'll leave it to Logstash folks to add any insights/recommendations.

akshatBais · October 24, 2019, 5:59am

@ikakavas @Mike_Place thankyou both for your time and efforts .
I finally managed to do :
using these two fields in my output I could finally connect to my elasticsearch instance.

ssl => true
ssl_certificate_verification => false

ikakavas · October 24, 2019, 6:17am

ssl_certificate_verification => false

@akshatBais I just want to make sure that you are explicitly aware that this configuration is insecure. Our documentation describes why

system · November 21, 2019, 6:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.