Secured connection from FIlebeat to Logstash (remote error: tls: handshake failure)

Hi,
I'm trying to configure tls for logstash and I'm getting the following error:

2020-08-19T11:56:29.340-0400    ERROR   [publisher_pipeline_output]     pipeline/output.go:106  Failed to connect to backoff(async(tcp://logstash.server.host:5044)): remote error: tls: handshake failure
2020-08-19T11:56:29.340-0400    INFO    [publisher_pipeline_output]     pipeline/output.go:99   Attempting to reconnect to backoff(async(tcp://logstash.server.host:5044)) with 6 reconnect attempt(s)

In the tcpdump all I can see is the following line:

6	0.047390	x.x.x.x	y.y.y.y	TLSv1.2	73	Alert (Level: Fatal, Description: Handshake Failure)

and it's details are:

Alert Message- Level Fatal(2), Description: Handshake Failure(4)

Logstash input plugin is configured:

beats {
        port => 5044
        ssl => true
        ssl_certificate => "/etc/pki/logstash/logstash.crt"
        ssl_key => "/etc/pki/logstash/logstash.key"
        type => filebeat
  }

Filebeat.yml:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["logstash.server.host:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/filebeat/logstash.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

I generated logstash.key and logstash.crt using openssl and copied logstash.crt to Filebeat server (/etc/pki/filebeat/logstash.crt, as configured in filebeat.yml) according to this guide:
https://documentation.wazuh.com/3.8/installation-guide/installing-elastic-stack/elastic_ssl.html
Generated a couple of keys (with server IP, with server hostname, with -subj flag) and none of them worked.

A couple of notes:

  1. The flow works perfectly fine when I'm trying regular tcp send

  2. I tried it in systems without firewalls and/or proxies too, got the same error

  3. Testing the connection with curl -v --cacert /etc/pki/filebeat/logstash.crt > https://logstash.server.host:5044 returned the following error:

    *   Trying 9.70.148.158... connected
    * Connected to logstash.server.host (y.y.y.y) port 5044 (#0)
    * Initializing NSS with certpath: sql:/etc/pki/nssdb
    *   CAfile: /etc/pki/filebeat/logstash.crt
      CApath: none
    * NSS error -12286
    * Closing connection #0
    * SSL connect error
    curl: (35) SSL connect error
    
  4. Testing the connection with openssl s_client -connectlogstash.server.host:5044 -CAfile /etc/pki/filebeat/logstash.crt returned the following error:

     CONNECTED(00000003)
     140704927352648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
     
     no peer certificate available
     
     No client certificate CA names sent
     
     SSL handshake has read 7 bytes and written 247 bytes
     
     New, (NONE), Cipher is (NONE)
     Secure Renegotiation IS NOT supported
     Compression: NONE
     Expansion: NONE
    

I tried pretty much anything I can think of...
Do you have any suggestion of what might be the problem?

Thanks

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.