Problem statement
Hi guys,
I receive the following error when trying to configure logstash client certificates:
[2018-12-10T22:10:32,949][ERROR][logstash.inputs.rabbitmq ] RabbitMQ connection error, will retry. {:error_message=>"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>"Java::JavaxNetSsl::SSLHandshakeException"}
Steps to reproduce:
- Build server from scratch with java, logstash, and certificate signed by my own ca
- Create pkcs12 certificate:
openssl pkcs12 -export -out LOGSTASH-1.p12 -inkey LOGSTASH-1.key -in LOGSTASH-1.crt -passout pass:test - Update trustStore
keytool -import -alias RMQ-master.cert -file /etc/logstash/RMQ-master.crt -keystore /opt/jre1.8.0_65/lib/security/cacerts -storepass changeit -v - start logstash
Troubleshooting so far:
- Downgraded from JRE 8_0_191 to JRE 8_0_65
- Imported both ca.crt and RMQ-master.crt to trustStore
- Added ca.crt to p12 certificate
- Added RMQ-master.crt to p12 certificate
- added the following to /etc/logstash/jvm.options:
-Djavax.net.ssl.trustStore=/opt/jre1.8.0_65/lib/security/cacerts
-Djavax.net.ssl.trustStorePassword=changeit
Nothing seems to be working. Can anyone help me figure out what I'm doing wrong?
- Logstash version: 6.5.2
- Operating System: AWS Linux
- Config File:
input {
rabbitmq {
id => "***"
ack => true
exchange => "***"
exchange_type => "direct"
queue => "***"
key => "***"
durable => true
exclusive => false
prefetch_count => 256
user => "***"
password => "Q***W"
host => "rmq-master"
port => 5671
ssl => true
ssl_version => "TLSv1.2"
ssl_certificate_path => "/etc/logstash/LOGSTASH-1.p12"
ssl_certificate_password => "test"
passive => true
vhost => "***"
heartbeat => 60
arguments => {
"x-max-length" => "250000"
"x-overflow" => "reject-publish"
}
}
}