Secured connection from FIlebeat to Logstash (remote error: tls: handshake failure)

Hi,
I'm trying to configure tls for logstash and I'm getting the following error:

2020-08-19T11:56:29.340-0400    ERROR   [publisher_pipeline_output]     pipeline/output.go:106  Failed to connect to backoff(async(tcp://logstash.server.host:5044)): remote error: tls: handshake failure
2020-08-19T11:56:29.340-0400    INFO    [publisher_pipeline_output]     pipeline/output.go:99   Attempting to reconnect to backoff(async(tcp://logstash.server.host:5044)) with 6 reconnect attempt(s)

In the tcpdump all I can see is the following line:

6	0.047390	x.x.x.x	y.y.y.y	TLSv1.2	73	Alert (Level: Fatal, Description: Handshake Failure)

and it's details are:

Alert Message- Level Fatal(2), Description: Handshake Failure(4)

Logstash input plugin is configured:

beats {
        port => 5044
        ssl => true
        ssl_certificate => "/etc/pki/logstash/logstash.crt"
        ssl_key => "/etc/pki/logstash/logstash.key"
        type => filebeat
  }

Filebeat.yml:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["logstash.server.host:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/filebeat/logstash.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

I generated logstash.key and logstash.crt using openssl and copied logstash.crt to Filebeat server (/etc/pki/filebeat/logstash.crt, as configured in filebeat.yml) according to this guide:
https://documentation.wazuh.com/3.8/installation-guide/installing-elastic-stack/elastic_ssl.html
Generated a couple of keys (with server IP, with server hostname, with -subj flag) and none of them worked.

A couple of notes:

  1. The flow works perfectly fine when I'm trying regular tcp send

  2. I tried it in systems without firewalls and/or proxies too, got the same error

  3. Testing the connection with curl -v --cacert /etc/pki/filebeat/logstash.crt > https://logstash.server.host:5044 returned the following error:

    *   Trying 9.70.148.158... connected
    * Connected to logstash.server.host (y.y.y.y) port 5044 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/filebeat/logstash.crt
      CApath: none
    * NSS error -12286
    * Closing connection #0
    * SSL connect error
    curl: (35) SSL connect error
    
  4. Testing the connection with openssl s_client -connectlogstash.server.host:5044 -CAfile /etc/pki/filebeat/logstash.crt returned the following error:

     CONNECTED(00000003)
     140704927352648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
     
     no peer certificate available
     
     No client certificate CA names sent
     
     SSL handshake has read 7 bytes and written 247 bytes
     
     New, (NONE), Cipher is (NONE)
     Secure Renegotiation IS NOT supported
     Compression: NONE
     Expansion: NONE
    

I tried pretty much anything I can think of...
Do you have any suggestion of what might be the problem?

Thanks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.