PKI between Logstash and Winlogbeat

Elastic Stack Logstash
1

I am having a frustrating problem with setting up PKI between Logstash and Winlogbeat. I have tried two (X-Pack, EASY-RSA) methods both successfully creating a CA, Private and Public Key, however both result in the same error message:

https://image.prntscr.com/image/2cQsMxx-SuCnTr-CHhD7Aw.png

Here is what I have done:

############################# METHOD 1 #############################
Connect to Elasticsearch node01

/usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack
/usr/share/elasticsearch/bin/x-pack/certgen

logstash1
logstash1
192.168.20.18
logstash1.jedi.local

DC1
DC1
192.168.20.52
DC1.jedi.local

cp /etc/elasticsearch/x-pack/certificate-bundle.zip /home/user/
chown user /home/user/certificate-bundle.zip
#SCP/Copy file to Logstash1 and Winlogbeat (Just ignore the security implications with copying everything for now)
rm /home/user/certificate-bundle.zip

#Download and Upload to Logstash1 and DC1
cd /home/user
mkdir -p /etc/logstash/ssl
chown root:root /home/user/*
mv /home/user/* /etc/logstash/ssl

ls /etc/logstash/ssl
ca.crt
ca.key
logstash1.crt
logstash1.key

nano /etc/logstash/conf.d/inputConfig.conf (Showing relevant part of log)

Winlogbeat / Filebeat

beats {
port => 5044
type => "%{[@metadata][beat]}"
ssl => true
ssl_certificate_authorities => ["/etc/logstash/ssl/ca.crt"]
ssl_certificate => "/etc/logstash/ssl/Logstash1.crt"
ssl_key => "/etc/logstash/ssl/Logstash1.key"
ssl_verify_mode => "force_peer"
}

service logstash restart

#Download and Upload to DC1
#Copy to certs to correct directory

dir C:\Winlogbeat\ssl
ca.crt
DC1.crt
DC1.key

Edit (Showing relevant part of log)
C:\Winlogbeat

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

ssl.certificate_authorities: ["C:/Winlogbeat/ssl/ca.crt"]

Certificate for SSL client authentication

ssl.certificate: "C:/Winlogbeat/ssl/DC1.crt"

Client Certificate Key

ssl.key: "C:/Winlogbeat/ssl/DC1.key"

winlogbeat -c winlogbeat.yml -e -v

Both Winlogbeat and Logstash start fine, Logstash reports certificate error.

####################################################################

############################# METHOD 2 #############################

Traditional EASY-RSA Method, the most ideal method. Revoking and adding certs etc...

  • Client and Server must have the same time, use ntp server side

  • ca.crt = Server Certificate

  • user1.crt = User Certificate

  • user1.key = User Key

  • ca.crt - This is the CA certificate

  • index.txt - This is the "master database" of all issued certs

  • serial - Stores the next serial number (serial numbers increment)

  • private/ca.key - This is the CA private key (security-critical)

  • certs_by_serial/ - dir with all CA-signed certs by serial number

  • issued/ - dir with issued certs by commonName

cd /etc/logstash/
git clone https://github.com/OpenVPN/easy-rsa.git

mv /etc/logstash/easy-rsa/easyrsa3 /etc/logstash/
rm -r /etc/logstash/easy-rsa
cd /etc/logstash/easyrsa3
chmod +x easyrsa
cp vars.example vars

echo '' >> /etc/logstash/easyrsa3/vars
echo '#Custom Variables' >> /etc/logstash/easyrsa3/vars

echo 'set_var EASYRSA "$PWD"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_OPENSSL "openssl"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_PKI "$EASYRSA/pki"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_DN "cn_only"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_COUNTRY "GB"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_PROVINCE "England"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_CITY "London"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_ORG "Certificate Authority"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_EMAIL "hello@acme.com"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_OU "SOC"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_KEY_SIZE 4096' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_CA_EXPIRE 9999' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_CERT_EXPIRE 9999' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_REQ_CN "SOC"' >> /etc/logstash/easyrsa3/vars
echo 'set_var EASYRSA_DIGEST "sha512"' >> /etc/logstash/easyrsa3/vars

#Generate CA
./easyrsa init-pki
./easyrsa build-ca
**ENTER SECURE PASSWORD - New certifcate signing requires this password
**CN = ca

Generate Server Cert

./easyrsa gen-req server nopass
./easyrsa sign-req server server

Unknown but do it

./easyrsa gen-dh

Generate Client Cert

./easyrsa gen-req DC1 nopass
./easyrsa sign-req client DC1

#Certificate is to be certified until Dec 7 21:30:31 2044 GMT (9999 days) - Yeah, 9999, just ignore that for now

cp /etc/logstash/easyrsa3/pki/ca.crt /etc/logstash/ssl/
cp /etc/logstash/easyrsa3/pki/private/server.key /etc/logstash/ssl/
cp /etc/logstash/easyrsa3/pki/issued/server.crt /etc/logstash/ssl/

nano /etc/logstash/conf.d/inputConfig.conf

Winlogbeat / Filebeat

beats {
port => 5044
type => "%{[@metadata][beat]}"
ssl => true
ssl_certificate_authorities => ["/etc/logstash/ssl/ca.crt"]
ssl_certificate => "/etc/logstash/ssl/server.crt"
ssl_key => "/etc/logstash/ssl/server.key"
ssl_verify_mode => "force_peer"
}

cp /etc/logstash/easyrsa3/pki/ca.crt /home/user
cp /etc/logstash/easyrsa3/pki/private/DC1.key /home/user
cp /etc/logstash/easyrsa3/pki/issued/DC1.crt /home/user

chown user /home/user/*
#COPY Files to Winglogbeat
rm /home/user/.crt
rm /home/user/.key

dir C:\Winlogbeat\ssl
ca.crt
DC1.crt
DC1.key

Edit (Showing relevant part of log)
C:\Winlogbeat

Optional SSL. By default is off.

List of root certificates for HTTPS server verifications

ssl.certificate_authorities: ["C:/Winlogbeat/ssl/ca.crt"]

Certificate for SSL client authentication

ssl.certificate: "C:/Winlogbeat/ssl/DC1.crt"

Client Certificate Key

ssl.key: "C:/Winlogbeat/ssl/DC1.key"

######################################################################

2

The error message is telling you the problem, but you need to know some fairly low level details about PKI to be able to interpret it.

Looks like you either have an invalid key or your private key was not in PKCS8 format.

Certgen generates keys in PKCS#1 format, but logstash requires keys in PKCS#8 format.

I asusme easy-rsa does the same. That makes sense from the name, as PKCS#1 keys are always RSA key, but PKCS#8 keys can use other algorithms.

If you have access to openssl you can turn a PKCS#1 key into a PKCS#8 key with:

openssl pkcs8 -topk8 -in logstash1.key -out logstash1-p8.key
3

Hi Tim,
Thanks for that but I'm still having an issue. It appears that Logstash only has a problem with the certificate not the private keys.

[2017-02-23T12:24:01,573][ERROR][logstash.inputs.beats ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid certificates: /etc/logstash/ssl/server.crt}

The ca.key and server.key were converted successfully. Appended _p8 to name.

It looks like that command is only useful for private keys. Is there an equivalent for certificates?

openssl pkcs8 -topk8 -in server.crt -out server_p8.crt
unable to load key
140380844369152:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY
4

Bump. Still need some help.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.