Secured connection from FIlebeat to Logstash (remote error: tls: handshake failure)

ofer.h · August 19, 2020, 4:37pm

Hi,
I'm trying to configure tls for logstash and I'm getting the following error:

2020-08-19T11:56:29.340-0400    ERROR   [publisher_pipeline_output]     pipeline/output.go:106  Failed to connect to backoff(async(tcp://logstash.server.host:5044)): remote error: tls: handshake failure
2020-08-19T11:56:29.340-0400    INFO    [publisher_pipeline_output]     pipeline/output.go:99   Attempting to reconnect to backoff(async(tcp://logstash.server.host:5044)) with 6 reconnect attempt(s)

In the tcpdump all I can see is the following line:

6	0.047390	x.x.x.x	y.y.y.y	TLSv1.2	73	Alert (Level: Fatal, Description: Handshake Failure)

and it's details are:

Alert Message- Level Fatal(2), Description: Handshake Failure(4)

Logstash input plugin is configured:

beats {
        port => 5044
        ssl => true
        ssl_certificate => "/etc/pki/logstash/logstash.crt"
        ssl_key => "/etc/pki/logstash/logstash.key"
        type => filebeat
  }

Filebeat.yml:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["logstash.server.host:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/filebeat/logstash.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

I generated logstash.key and logstash.crt using openssl and copied logstash.crt to Filebeat server (/etc/pki/filebeat/logstash.crt, as configured in filebeat.yml) according to this guide:
https://documentation.wazuh.com/3.8/installation-guide/installing-elastic-stack/elastic_ssl.html
Generated a couple of keys (with server IP, with server hostname, with -subj flag) and none of them worked.

A couple of notes:

The flow works perfectly fine when I'm trying regular tcp send
I tried it in systems without firewalls and/or proxies too, got the same error

Testing the connection with curl -v --cacert /etc/pki/filebeat/logstash.crt > https://logstash.server.host:5044 returned the following error:

*   Trying 9.70.148.158... connected
* Connected to logstash.server.host (y.y.y.y) port 5044 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/filebeat/logstash.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Testing the connection with openssl s_client -connectlogstash.server.host:5044 -CAfile /etc/pki/filebeat/logstash.crt returned the following error:

 CONNECTED(00000003)
 140704927352648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
 
 no peer certificate available
 
 No client certificate CA names sent
 
 SSL handshake has read 7 bytes and written 247 bytes
 
 New, (NONE), Cipher is (NONE)
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE

I tried pretty much anything I can think of...
Do you have any suggestion of what might be the problem?

Thanks

system · September 16, 2020, 6:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.