[Need help] Error when installing winlogbeat on Windows Server 2012 R2

lachezar.uzunov · December 22, 2020, 8:57am

Hello everyone

I need help debugging what is actually going on. I am installing winlogbeat as mentioned in the documentation (www.elastic.co/guide/en/beats/winlogbeat/7.10/winlogbeat-installation-configuration.html).
Then I download my http.p12 cert and install it using windows double click (I install it for current user and local machine)

The error I get is: Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.200.169:9200: Get "https://192.168.200.169:9200": x509: certificate is valid for 192.168.200.169, not 192.168.200.169]

My elastic machine is with running on 192.168.200.169. I tried adding the hostname in windows hosts file, generating different types of certs but still get the same error.

On windows server 2016+ it is working without any kind of problem.

Do someone know what the issue is?

andrewkroh · December 22, 2020, 2:05pm

I suspect the issue is that your certificate does not contain an IP Subject Alternative Name field. I think when you connect via an IP the server cert must have a SAN value for that IP.

lachezar.uzunov · December 22, 2020, 2:26pm

Upon creating the certificate I make sure the host and IP info is correct.

andrewkroh · December 22, 2020, 3:06pm

Then I would use Wireshark to capture and analyze the TLS handshake from the wire. This might reveal some additional details about the error.

I would also use

openssl s_client -connect 192.168.200.169:9200 -showcerts

to look at the server's response and certs. Then check the returned leaf cert with openssl x509 -text -noout to verify the presence of "IP Address" in X509v3 Subject Alternative Name:. Like

            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:xx.consul, DNS:xy.consul, DNS:xyz, IP Address:127.0.0.1, IP Address:10.3.12.34

lachezar.uzunov · January 4, 2021, 7:19am

The DNS is correct, as well as the IP addresses, I tried experimenting with the values and got to the point where it displays NO error message but still do not send any information what so ever.

lachezar.uzunov · January 7, 2021, 7:00am

The issue was solved after putting both my domain name and the ip as hostnames and then again enter only the ip for IPs