[Need help] Error when installing winlogbeat on Windows Server 2012 R2

Hello everyone

I need help debugging what is actually going on. I am installing winlogbeat as mentioned in the documentation (www.elastic.co/guide/en/beats/winlogbeat/7.10/winlogbeat-installation-configuration.html).
Then I download my http.p12 cert and install it using windows double click (I install it for current user and local machine)

The error I get is: Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.200.169:9200: Get "https://192.168.200.169:9200": x509: certificate is valid for 192.168.200.169, not 192.168.200.169]

My elastic machine is with running on 192.168.200.169. I tried adding the hostname in windows hosts file, generating different types of certs but still get the same error.

On windows server 2016+ it is working without any kind of problem.

Do someone know what the issue is?

I suspect the issue is that your certificate does not contain an IP Subject Alternative Name field. I think when you connect via an IP the server cert must have a SAN value for that IP.

Upon creating the certificate I make sure the host and IP info is correct.

Then I would use Wireshark to capture and analyze the TLS handshake from the wire. This might reveal some additional details about the error.

I would also use

openssl s_client -connect 192.168.200.169:9200 -showcerts

to look at the server's response and certs. Then check the returned leaf cert with openssl x509 -text -noout to verify the presence of "IP Address" in X509v3 Subject Alternative Name:. Like

            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:xx.consul, DNS:xy.consul, DNS:xyz, IP Address:127.0.0.1, IP Address:10.3.12.34

The DNS is correct, as well as the IP addresses, I tried experimenting with the values and got to the point where it displays NO error message but still do not send any information what so ever.

The issue was solved after putting both my domain name and the ip as hostnames and then again enter only the ip for IPs

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.