[Need help] Error when installing winlogbeat on Windows Server 2012 R2

lachezar.uzunov · December 22, 2020, 8:57am

Hello everyone

I need help debugging what is actually going on. I am installing winlogbeat as mentioned in the documentation (www.elastic.co/guide/en/beats/winlogbeat/7.10/winlogbeat-installation-configuration.html).
Then I download my http.p12 cert and install it using windows double click (I install it for current user and local machine)

The error I get is: Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.200.169:9200: Get "https://192.168.200.169:9200": x509: certificate is valid for 192.168.200.169, not 192.168.200.169]

My elastic machine is with running on 192.168.200.169. I tried adding the hostname in windows hosts file, generating different types of certs but still get the same error.

On windows server 2016+ it is working without any kind of problem.

Do someone know what the issue is?

andrewkroh · December 22, 2020, 2:05pm

I suspect the issue is that your certificate does not contain an IP Subject Alternative Name field. I think when you connect via an IP the server cert must have a SAN value for that IP.

lachezar.uzunov · December 22, 2020, 2:26pm

Upon creating the certificate I make sure the host and IP info is correct.

andrewkroh · December 22, 2020, 3:06pm

Then I would use Wireshark to capture and analyze the TLS handshake from the wire. This might reveal some additional details about the error.

I would also use

openssl s_client -connect 192.168.200.169:9200 -showcerts

to look at the server's response and certs. Then check the returned leaf cert with openssl x509 -text -noout to verify the presence of "IP Address" in X509v3 Subject Alternative Name:. Like

            X509v3 Subject Alternative Name: 
                DNS:localhost, DNS:xx.consul, DNS:xy.consul, DNS:xyz, IP Address:127.0.0.1, IP Address:10.3.12.34

lachezar.uzunov · January 4, 2021, 7:19am

The DNS is correct, as well as the IP addresses, I tried experimenting with the values and got to the point where it displays NO error message but still do not send any information what so ever.

lachezar.uzunov · January 7, 2021, 7:00am

The issue was solved after putting both my domain name and the ip as hostnames and then again enter only the ip for IPs

system · February 4, 2021, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat setup error: x509 certificate is valid for <ip>, not <same ip> Beats winlogbeat	7	930	May 11, 2021
Winlogbeat error connecting to Elasticsearch at https://ip:9200: Get "https://ip:9200": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority cert Beats winlogbeat	1	674	July 27, 2022
Certificate Error When Setting Up Winlogbeat Beats winlogbeat	3	433	July 27, 2022
How to connect Winlogbeat to Elasticsearch dockrized Cluster using SSL? Beats elastic-stack-security , docker , winlogbeat	2	628	March 24, 2021
Winlog beat set up returning the following error Elasticsearch elastic-stack-security , docker	2	879	February 21, 2022

[Need help] Error when installing winlogbeat on Windows Server 2012 R2

Related topics