I am trying to setup mutual authentication between FileBeat and LogStash as per https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html
I have generated certificates and keys using two different methods, by using openssl
on the command line, as well as using nodepki
. I get the same error.
To convert a keyfile to pkcs8 (for Logstash) I used
openssl pkcs8 -topk8 -inform PEM -outform PEM -in pki/filebeat.key -out pki/filebeat.key.pkcs8
I did not convert the keyfile to PKCS8 for FileBeat.
If I comment out ssl_certificate_authorities
and ssl_verify_mode
from the logstash conf, things work.
However, I do want mutual authentication so this is not good enough.
The error message I get, is remote error: tls: internal error
which is reproducible via curl
:
bash-4.2$ curl -v --cacert /pki/ca.pem --cert /pki/client.pem --key /pki/client.key https://logstash:5044
* About to connect() to logstash port 5044 (#0)
* Trying 172.19.0.4...
* Connected to logstash (172.19.0.4) port 5044 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /pki/ca.pem
CApath: none
* NSS: client certificate from file
* subject: CN=filebeat,O=Basalt AB,L=Stockholm,ST=Uppsala,C=SE
* start date: May 10 13:48:11 2017 GMT
* expire date: May 10 13:48:11 2018 GMT
* common name: filebeat
* issuer: CN=Intermediate CA,O=ADITO Software GmbH,L=Geisenhausen,ST=Bayern,C=DE
* NSS error -12188 (SSL_ERROR_INTERNAL_ERROR_ALERT)
* Peer reports it experienced an internal error.
* Closing connection 0
curl: (35) Peer reports it experienced an internal error.
Here is my relevant configuration:
logstash.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/pki/server.pem"
ssl_certificate_authorities => ["/pki/ca.pem"]
ssl_key => "/pki/server.key"
ssl_key_passphrase => "password123"
ssl_verify_mode => "peer"
}
}
filebeat.yml
filebeat.prospectors:
- input_type: log
paths:
- /mnt/log/*.log
processors:
- add_cloud_metadata:
output.logstash:
hosts: ['logstash:5044']
ssl.certificate_authorities: ["/pki/ca.pem"]
ssl.certificate: "/pki/client.pem"
ssl.key: "/pki/client.key"
#logging.level: debug
How do I enable debugging of the SSL negotiation in Logstash? Nothing appears in the logs there, even though I set debugging via
PUT /_node/logging
{
"logger.logstash.inputs.beats": "DEBUG"
}