Problem with cipher not available

Elastic Stack Logstash
1

Hi,

I have a problem with logstash 5.3.3. When i start Logstash, the folowing error is generated:

Pipeline aborted due to error {:exception=>#<LogStash::ConfigurationError: Cipher TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 is not available>

I'v already tried the solution of Problem with cipher in beat input but
it does not work for me.

This is my logstash config:

input {
beats {
type => beats
port => 5044
ssl => true
ssl_certificate_authorities => [***]
ssl_certificate => ***
ssl_key => ***
ssl_verify_mode => "force_peer"

     }

}

Do you have an idea?

Thank you for your help !

2

Hello;

Have you tried debug logging? If yes,

  1. Look through those debug logs for "-Dio.netty.tmpdir" to confirm what directory netty is using.
  2. Look for "netty-tcnative not in the classpath" to see if it is the same issue as Problem with cipher in beat input (on 5.x) or Beats plugin will not start with "cipher not found" (on 6.x)

BTW, I don't have a solution; the second issue (on 6.x) is mine, but no responses yet.

Thanks!

3

FWIW, I did a bare-metal rebuild on the logstash server, and the issue is gone...

4

so for you, what was the problem?

5

Unfortunately, I have no idea. I was out of ideas, and needed the multiple pipelines of 6.x so I tried the rebuild and it worked.

Sorry I can't be of more assistance.

6

I'm having the same issue with Logstash v6.2.1 on OL7 (same as RHEL7 & Centos7). I've recently updated from v5.6.2. I've also recently switched from the Oracle JRE to OpenJDK (headless).

openjdk version "1.8.0_161"
OpenJDK Runtime Environment (build 1.8.0_161-b14)
OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

I've noticed the following entry in the Logstash debug logs:

[DEBUG][io.netty.handler.ssl.OpenSsl] netty-tcnative not in the classpath; OpenSslEngine will be unavailable.

Is it normal for Logstash to output that line? Is my java install broken?? (EDIT: I just removed and re-installed java, and LS is still broken)

My netty tmp dir is /tmp

[DEBUG][io.netty.util.internal.PlatformDependent] -Dio.netty.tmpdir: /tmp (java.io.tmpdir)

/tmp is the same volume as /, so execution of code IS allowed.

/dev/mapper/ol-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Also, running inotifywait against /tmp shows ZERO activity in there while logstash is starting up. Hmmm..

I have a feeling that completely rebuilding the box would fix the issue, but I'm keen to fix it rather than admit defeat. :slight_smile:

7

I have completely rebuilt my system and am running into the same issue. :frowning:

I can confirm that it's version 5.0.6 and above of the logstash-input-beats plugin that has introduced this issue. If you remove the plugin and re-install the older version, things will work. I suggest this as a temporary workaround.

E.g, as root run the following

systemctl stop logstash
mv /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-input-beats-5.0.6-java /tmp
sudo -u logstash /usr/share/logstash/bin/logstash-plugin install --version 5.0.5 logstash-input-beats
systemctl start logstash

Now all should be good.

I can see that version 5.0.6 of the input included a more recent version of netty https://github.com/logstash-plugins/logstash-input-beats/blob/v5.0.6/CHANGELOG.md.

I'm guessing it's this commit that has introduced the issue. https://github.com/logstash-plugins/logstash-input-beats/commit/9911624aac5ca73df1b7bdc5f93668b120d5086e

Will investigate further.

1 Like
8

Spent too long on this without any luck.. going to stick with Logstash 6.1.1 (which uses the older version of netty-tcnative) until a new version comes out that I can test with.

Cheers,
Nick

9

Also waisted hours with this problem after upgrading from 5.5.x to 6.2.2, tried openjdk, oracle java (also with Java Cryptography Extension (JCE) Unlimited Strength), different jvm options, modified cipher list in beats input... still got this error. Only thing helped out was downgrading logstash to 1:6.1.1-1

10

Thank you, downgrading logstash-input-beats to 5.0.5 got me back up and running.

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.