Problem metricbeat with ssl

arp220 · December 9, 2020, 11:44am

Hi. I enable ssl for elasticsearch, elasticsearch config is :

cluster.name: es-cluster
path.data: /es-data/elasticsearch
path.logs: /var/log/elasticsearch
http.host: 0.0.0.0
network.host: 0
cluster.initial_master_nodes: 127.0.0.1
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"

and I enable elaticsearch-xpack module for metircbeat and config:

- module: elasticsearch
  xpack.enabled: true
  period: 10s
  hosts: ["https://Es-ip:9200"]
  username: "user"
  password: "pass"
  ssl.certificateAuthorities: [ "/etc/metricbeat/elasticsearch-ca.pem" ]

But I have this error:

Dec 09 15:07:39 Es metricbeat[5372]: 2020-12-09T15:07:39.020+0330        INFO        module/wrapper.go:259        Error fetching data for metricset elasticsearch.cluster_stats: error determining if connected Elasticsearch node is master: error making http request: Get "https://Es-ip:9200/_nodes/_local/nodes": x509: cannot validate certificate for Es-ip because it doesn't contain any IP SANs
Dec 09 15:07:39 Es metricbeat[5372]: 2020-12-09T15:07:39.021+0330        INFO        module/wrapper.go:259        Error fetching data for metricset elasticsearch.index: error determining if connected Elasticsearch node is master: error making http request: Get "https://Es-ip:9200/_nodes/_local/nodes": x509: cannot validate certificate for Es-ip because it doesn't contain any IP SANs
Dec 09 15:07:39 Es metricbeat[5372]: 2020-12-09T15:07:39.021+0330        INFO        module/wrapper.go:259        Error fetching data for metricset elasticsearch.enrich: error determining if connected Elasticsearch node is master: error making http request: Get "https://Es-ip:9200/_nodes/_local/nodes": x509: cannot validate certificate for Es-ip because it doesn't contain any IP SANs
Dec 09 15:07:39 Es metricbeat[5372]: 2020-12-09T15:07:39.024+0330        INFO        module/wrapper.go:259        Error fetching data for metricset elasticsearch.node_stats: error making http request: Get "https://Es-ip:9200/_nodes/_local/stats": x509: cannot validate certificate for Es-ip because it doesn't contain any IP SANs

Where did I go wrong?
thanks.

mgevans · December 9, 2020, 7:02pm

Hi there - a SAN on a certificate is a Subject Alternate Name. In this case an IP SAN would probably indicate that the cert validation routine was looking to confirm the IP addr of the target of the certificate.

You'll likely need to update your certificate. Check out this article which explains a similar setup issue with someone doing logstash with a locally created certificate.

https://serverfault.com/questions/611120/failed-tls-handshake-does-not-contain-any-ip-sans

system · January 6, 2021, 9:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.