Hi,
I'm trying to configure tls for logstash and I'm getting the following error:
2020-08-19T11:56:29.340-0400 ERROR [publisher_pipeline_output] pipeline/output.go:106 Failed to connect to backoff(async(tcp://logstash.server.host:5044)): remote error: tls: handshake failure
2020-08-19T11:56:29.340-0400 INFO [publisher_pipeline_output] pipeline/output.go:99 Attempting to reconnect to backoff(async(tcp://logstash.server.host:5044)) with 6 reconnect attempt(s)
In the tcpdump all I can see is the following line:
6 0.047390 x.x.x.x y.y.y.y TLSv1.2 73 Alert (Level: Fatal, Description: Handshake Failure)
and it's details are:
Alert Message- Level Fatal(2), Description: Handshake Failure(4)
Logstash input plugin is configured:
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/logstash/logstash.crt"
ssl_key => "/etc/pki/logstash/logstash.key"
type => filebeat
}
Filebeat.yml:
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["logstash.server.host:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/etc/pki/filebeat/logstash.crt"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
I generated logstash.key and logstash.crt using openssl and copied logstash.crt to Filebeat server (/etc/pki/filebeat/logstash.crt, as configured in filebeat.yml) according to this guide:
https://documentation.wazuh.com/3.8/installation-guide/installing-elastic-stack/elastic_ssl.html
Generated a couple of keys (with server IP, with server hostname, with -subj flag) and none of them worked.
A couple of notes:
-
The flow works perfectly fine when I'm trying regular tcp send
-
I tried it in systems without firewalls and/or proxies too, got the same error
-
Testing the connection with
curl -v --cacert /etc/pki/filebeat/logstash.crt > https://logstash.server.host:5044
returned the following error:* Trying 9.70.148.158... connected * Connected to logstash.server.host (y.y.y.y) port 5044 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/filebeat/logstash.crt CApath: none * NSS error -12286 * Closing connection #0 * SSL connect error curl: (35) SSL connect error
-
Testing the connection with
openssl s_client -connectlogstash.server.host:5044 -CAfile /etc/pki/filebeat/logstash.cr
t returned the following error:CONNECTED(00000003) 140704927352648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744: no peer certificate available No client certificate CA names sent SSL handshake has read 7 bytes and written 247 bytes New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
I tried pretty much anything I can think of...
Do you have any suggestion of what might be the problem?
Thanks