LS to ES via mTLS RSA only?

natharran · February 21, 2025, 12:33pm

Hello all,

I have a working configuration where Logstash authenticates to Elasticsearch via mTLS scheme using it's default RSA key. I now need to replace this key via another one that is generated by out Openshift operator. However, this operator has RSA keys forbidden and only generates ECDSA keys. If I use this key, I'm getting this error when LS starts:

exception=>#<Java::JavaSecuritySpec::InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key>, :backtrace=>["sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(sun/security/rsa/RSAKeyFactory.java:253)"

The new key is in non-encrypted PKCS8 format as was the previous one.

So Logstash only supports RSA keys?

Thanks

natharran · February 21, 2025, 2:38pm

OK the problem was that after converting the original EC key to PKCS8 the header no longed contained the "EC" keyword. So instead of BEGIN EC PRIVATE KEY only BEGIN PRIVATE KEY remained. Logstash therefore handled the key as RSA. So after key conversion I used sed:

sed -i -e 's/BEGIN PRIVATE/BEGIN EC PRIVATE/g' /usr/share/logstash/config/tls.pkcs8.key
sed -i -e 's/END PRIVATE/END EC PRIVATE/g' /usr/share/logstash/config/tls.pkcs8.key

Topic		Replies	Views
Logstash Http Input Plugin - Encrypted Private Key File is not Valid Logstash	1	368	June 16, 2021
LS 2.3 -> 5.0 TLS trouble, PKCS#8 and cipher_suites Logstash	1	1155	December 26, 2016
Http input with ssl Logstash	3	6038	February 14, 2018
LS 2.4.0 beats SSL plugin: unsupported ciphersuite Logstash	1	910	July 6, 2017
Settings SSL/TLS setup with PKCS8 keys Elasticsearch	2	2625	May 8, 2018

LS to ES via mTLS RSA only?

Related topics