As far as I can see, I've set up Metricbeat to correctly validate/use SSL, but it still gives the following warning when running 'metricbeat test output': server's certificate chain verification is disabled
The connection is fully working, as I can see no error from the logs of metricbeat itself and I can also see metrics showing up in Elasticsearch. I've looked through all possible SSL options to configure, but none of them seem to cover this.
And using openssl s_client -CAfile ./config/certificates/ca.crt -showcerts -connect 01-elasticsearch-dev.internal:9200 I get the following:
CONNECTED(00000003)
depth=1 C = NL, O = Forion, CN = dev Forion CA
verify return:1
depth=0 C = NL, O = Forion, CN = 01-elasticsearch-dev.internal
verify return:1
---
<snip>
<full certificate chain including CA + server certificate>
<snip>
---
Server certificate
subject=/C=NL/O=Forion/CN=01-elasticsearch-dev.internal
issuer=/C=NL/O=Forion/CN=dev Forion CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 6544 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
<snip>
Start Time: 1636453514
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
I have exactly the same warning from all beat types when testning the connection to Logstash. The warning started when upgrading the beats to version 7.15.0 using TLS version 1.2.
This is pretty annoying since we have service providers to deploy our beats packages on the host. We deliver the packages with Chocotey or apt.
Wow, thanks @Mattias_Brunnert . That indeed solved the issue. Man, I really thought 'full' is the maximum security setting you could select. But apparently 'strict' is more 'full'
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.