LS 2.3 -> 5.0 TLS trouble, PKCS#8 and cipher_suites


(Gregory Orange) #1

On FreeBSD 10, I had TLS working for encrypted communication between previous versions of Logstash and both Filebeat and Metricbeat. I've recently upgraded ELK to the versions below:

Things work with TLS disabled, but I am being hindered by the LS 2.4 breaking change regarding PKCS#8.

logstash/bin/logstash -f /usr/local/etc/logstash/logstash.conf
...
[2016-11-28T14:57:53,934][ERROR][logstash.inputs.beats    ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /usr/local/share/certs/managed/raw/logstash.key}

I followed some advice about converting the private key for both *beats and Logstash...

# openssl pkcs8 -topk8 -nocrypt -in $inkey -out $inkey.pkcs8

... and changing configs for all three services to use the .pkcs8 file for the key. Still no luck:

logstash/bin/logstash -f /usr/local/etc/logstash/logstash.conf
...
[2016-11-28T13:54:43,883][ERROR][logstash.inputs.beats    ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38}

Can I get some help troubleshooting this please?

$ openssl version
OpenSSL 1.0.1p-freebsd 9 Jul 2015

Thanks,
Greg.


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.