Metricbeat x509 Certificate error

artschooldropout · August 31, 2023, 3:53pm

I've got an Elasticsearch instance running nicely, and I'd like to use metricbeat to monitor system performance (running on the same host).

I'm getting an x509 certificate error when I start metricbeat using metricbeat -e.

Here's my metricbeat config:

metricbeat:
  config:
    modules:
      path: /etc/metricbeat/modules.d/*.yml
      reload:
        enabled: false
output:
  elasticsearch:
    hosts:
    - https://localhost:9200
    password: [redacted]
    ssl:
      ca_trusted_fingerprint: [redacted]
      enabled: true
    username: elastic
path:
  config: /etc/metricbeat
  data: /var/lib/metricbeat
  home: /usr/share/metricbeat
  logs: /var/log/metricbeat
processors:
- add_host_metadata: null
- add_cloud_metadata: null
- add_docker_metadata: null
- add_kubernetes_metadata: null
setup:
  kibana: null
  template:
    settings:
      index:
        codec: best_compression
        number_of_shards: 1

Here's the metricbeat log:

gist.github.com

https://gist.github.com/packetuser/f4100f27a940938d789143f1bb5746cd

gistfile1.txt

{"log.level":"info","@timestamp":"2023-08-31T15:36:18.604Z","log.origin":{"file.name":"instance/beat.go","file.line":779},"message":"Home path: [/usr/share/metricbeat] Config path: [/etc/metricbeat] Data path: [/var/lib/metricbeat] Logs path: [/var/log/metricbeat]","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.605Z","log.origin":{"file.name":"instance/beat.go","file.line":787},"message":"Beat ID: db63bce8-398f-4389-915a-8e77b7eca9bf","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.610Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.610Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1299},"message":"Beat info","service.name":"metricbeat","system_info":{"beat":{"path":{"config":"/etc/metricbeat","data":"/var/lib/metricbeat","home":"/usr/share/metricbeat","logs":"/var/log/metricbeat"},"type":"metricbeat","uuid":"db63bce8-398f-4389-915a-8e77b7eca9bf"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.610Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1308},"message":"Build info","service.name":"metricbeat","system_info":{"build":{"commit":"3799398872c0f33da4e65019390d055cdfe633bd","libbeat":"8.9.1","time":"2023-08-10T04:15:15.000Z","version":"8.9.1"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.610Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1311},"message":"Go runtime info","service.name":"metricbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":40,"version":"go1.19.12"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.611Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1317},"message":"Host info","service.name":"metricbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-08-16T21:02:12Z","containerized":false,"name":"zeek1","ip":["127.0.0.1","::1","10.7.81.47","fe80::1a66:daff:feac:8008","fe80::1a66:daff:feac:8009","fe80::a236:9fff:fef0:f140","fe80::a236:9fff:fef0:f142","fe80::a236:9fff:fef0:eb26"],"kernel_version":"5.15.0-78-generic","mac":["18:66:da:ac:80:07","18:66:da:ac:80:08","18:66:da:ac:80:09","18:66:da:ac:80:0a","a0:36:9f:f0:f1:40","a0:36:9f:f0:f1:42","a0:36:9f:f0:eb:24","a0:36:9f:f0:eb:26"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"22.04.3 LTS (Jammy Jellyfish)","major":22,"minor":4,"patch":3,"codename":"jammy"},"timezone":"UTC","timezone_offset_sec":0,"id":"5eb37bd26b0e4ba792a1575c41c3a2db"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.612Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1346},"message":"Process info","service.name":"metricbeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"ambient":null},"cwd":"/etc/filebeat","exe":"/usr/share/metricbeat/bin/metricbeat","name":"metricbeat","pid":1209434,"ppid":1209433,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-08-31T15:36:17.680Z"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-08-31T15:36:18.612Z","log.origin":{"file.name":"instance/beat.go","file.line":330},"message":"Setup Beat: metricbeat; Version: 8.9.1","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-08-31T15:36:18.619Z","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"metricbeat","ecs.version":"1.6.0"}

This file has been truncated. show original

I'm confused, because the same output:elasticsearch section works fine for Filebeat...

I generated a self-signed cert when I set up the ES instance.

Here's my Elasticsearch config:

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch


xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["zeek1"]

http.host: 0.0.0.0

I know this is a common issue - I've searched to no avail!

carly.richmond · September 1, 2023, 9:47am

Hi @artschooldropout ,

Which version of Metricbeat and Filebeat are you using? Can you try adding the ssl_certificate_authorities option which looks to be missing from your configuration as per this thread?

As an FYI from version 8 onwards you may need to update your certificates to use Subject Alternative Names over CommonName:

artschooldropout · September 1, 2023, 5:33pm

I'm using Metricbeat 8.9.1 and Filebeat 8.9.1. I tried adding the ssl_certificate_authorities option as suggested, but I get the same errors.

Here's what my metricbeat config looks like now:

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  username: "elastic"
  password: "[redacted]"
  ssl:
    enabled: true
    ca_trusted_fingerprint: "[redacted]"
    certificate_authorities: ["/etc/elasticsearch/certs/http_ca.crt"]

I got the cert path from the installation instructions for Debian systems: here

artschooldropout · September 1, 2023, 5:56pm

Ok, I tried changing the /elasticsearch-xpack.yml file to match the metricbeat config file, and the output of metricbeat -e seems to indicate it's up and running now. However, I'm getting a 'Monitoring Request Error' in the GUI: [search_phase_execution_exception Root causes: no_shard_available_action_exception: null: search_phase_execution_exception Root causes: no_shard_available_action_exception: null]: all shards failed

artschooldropout · September 1, 2023, 7:52pm

Ok - the issue was that my instance was low on disk space. I freed up space and my Metricbeat is working nicely. Thanks @carly.richmond for your help!

system · September 29, 2023, 7:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Metricbeat Error : x509 Certificate is valid for x, not Y Beats metricbeat	1	1295	June 7, 2019
Metricbeat Beats metricbeat	6	676	October 28, 2021
Metricbeat failed with Certificate error Beats metricbeat	1	924	March 10, 2020
Merticbeat Error dialing x509: certificate is valid for 127.0.0.1, not 172.16.0.204 Beats metricbeat	3	2842	April 7, 2022
X509: cannot validate certificate for 192.168.0.85 because it doesn't contain any IP SANs Beats metricbeat	3	4417	July 3, 2019

Metricbeat x509 Certificate error

Related topics