OpenSSL::SSL::SSLError: Received fatal alert: unknown_ca


(Ben) #1

Hello all,
First off - Thanks for LogStash :thumbsup:
I am looking for help in solving the error (see title) from my /var/log/logstash/logstash-plain.log log (when debug enabled)
I have an SSL cert from LetsEncrypt and have the following config:

input {
    tcp {
        ....
        ssl_enable => true
        ssl_cert   => "/certs/cert.pem"
        ssl_key    => "/certs/privkey.pem"
        ssl_extra_chain_certs  => [ "/certs/fullchain.pem" ]
        ssl_verify => false
    }
}

I have done a fair amount of googling and found a few issues from the older github repos, but nothing seems to help.
I think the problem is found with openssl - see last line of the following terminal snippet

$ openssl s_client -connect logstash.autoenrolment.co.uk:6514

CONNECTED(00000003)
depth=0 CN = logstash.autoenrolment.co.uk
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = logstash.autoenrolment.co.uk
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=logstash.autoenrolment.co.uk
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHDCCBASgAwIBAgISAyaiusxo79akgXO2YycMPQkOMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAxMTMxMTIxMDBaFw0x
NzA0MTMxMTIxMDBaMCcxJTAjBgNVBAMTHGxvZ3N0YXNoLmF1dG9lbnJvbG1lbnQu
Y28udWswggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZLQIuPbMSKSej
1fJjoRNdCsYdR2eEVamAZzYYMnoW0/cOkesWs0hBOSRikuvDfXRfNDIoVk+vYQnd
Jb0RdoYpdSKqQqKh8ZgeJ9zl3p3IrZpDHbykTgcKuIqBZqGSzlzfaDqV5e0npCKC
ffDR5TVrNvXJnE3FKfDf31FHt1R15SV7ghjo/8Dgn+h+KtlsU5NuATXJKbzGKFYm
+IvKPJr+NqENdxY89bkSqnI06b6OCxA4pH5tfzPvGVbEpY7Rbwr2QAPZEh2hBD29
q4cM+9rhWSO+am8XJniOHp51rIywkf9NT83D19HtE3pT6lwotw6yWqw1lSW9VXsU
QTLV418FAgMBAAGjggIdMIICGTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCh7iYm/
NXXEyB5PPzFHGuqDGKI0MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MHAGCCsGAQUFBwEBBGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14
My5sZXRzZW5jcnlwdC5vcmcvMCcGA1UdEQQgMB6CHGxvZ3N0YXNoLmF1dG9lbnJv
bG1lbnQuY28udWswgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8T
AQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCB
qwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJl
bGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRh
bmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczov
L2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEA
h48aZAfB5eDRAGIO2OmYuJUP9wloyk+2CIKb8eB1YWZma1mfWzBOyDa+nrnrunaq
2pE1GPIaIB988fzUoWsJcbn09PqQPH9TmAd5luIgwHK35my9NW17uQH9J78XZDJV
lHfIR7ZxSO39CLlGvCrL6M/u1YvCu5xpoAskwq2jCrAsxqDCadfeXu+J/gOSIdfs
2a5x/hu1Q3JFOnfSD2jjLk2/+ROFWJb8D7nQxO6i7X7b3ZR3hN9GFk+eE2MGqquy
0VT5Is3I4ZXKVKFULJFZbVlLesm3BzM1i35qC30IyANGQ6anIvUP1AEcz6w08o4I
H9ID6zIMuNLI1NlFDgdfcg==
-----END CERTIFICATE-----
subject=/CN=logstash.autoenrolment.co.uk
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1836 bytes and written 473 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: 5878C76446C94D51C018A8780D91EC897F78C470E2CF8ECDA80DC28838256702
    Session-ID-ctx:
    Master-Key: CAABC3F88FF12584FAFF3BCB92091A9A007D9C4B8AE8A5BE931E1A880AD5C996D4149E285F785F7A6A0BA05A26A54385
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484310372
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

I wondered if anyone here would be kind enough to offer any little bit of advise that might help me resolve my issue


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.