Secured connection from FIlebeat to Logstash (remote error: tls: handshake failure)

ofer.h · August 19, 2020, 4:37pm

Hi,
I'm trying to configure tls for logstash and I'm getting the following error:

2020-08-19T11:56:29.340-0400    ERROR   [publisher_pipeline_output]     pipeline/output.go:106  Failed to connect to backoff(async(tcp://logstash.server.host:5044)): remote error: tls: handshake failure
2020-08-19T11:56:29.340-0400    INFO    [publisher_pipeline_output]     pipeline/output.go:99   Attempting to reconnect to backoff(async(tcp://logstash.server.host:5044)) with 6 reconnect attempt(s)

In the tcpdump all I can see is the following line:

6	0.047390	x.x.x.x	y.y.y.y	TLSv1.2	73	Alert (Level: Fatal, Description: Handshake Failure)

and it's details are:

Alert Message- Level Fatal(2), Description: Handshake Failure(4)

Logstash input plugin is configured:

beats {
        port => 5044
        ssl => true
        ssl_certificate => "/etc/pki/logstash/logstash.crt"
        ssl_key => "/etc/pki/logstash/logstash.key"
        type => filebeat
  }

Filebeat.yml:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["logstash.server.host:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/pki/filebeat/logstash.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

I generated logstash.key and logstash.crt using openssl and copied logstash.crt to Filebeat server (/etc/pki/filebeat/logstash.crt, as configured in filebeat.yml) according to this guide:
https://documentation.wazuh.com/3.8/installation-guide/installing-elastic-stack/elastic_ssl.html
Generated a couple of keys (with server IP, with server hostname, with -subj flag) and none of them worked.

A couple of notes:

The flow works perfectly fine when I'm trying regular tcp send
I tried it in systems without firewalls and/or proxies too, got the same error

Testing the connection with curl -v --cacert /etc/pki/filebeat/logstash.crt > https://logstash.server.host:5044 returned the following error:

*   Trying 9.70.148.158... connected
* Connected to logstash.server.host (y.y.y.y) port 5044 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/filebeat/logstash.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Testing the connection with openssl s_client -connectlogstash.server.host:5044 -CAfile /etc/pki/filebeat/logstash.crt returned the following error:

 CONNECTED(00000003)
 140704927352648:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
 
 no peer certificate available
 
 No client certificate CA names sent
 
 SSL handshake has read 7 bytes and written 247 bytes
 
 New, (NONE), Cipher is (NONE)
 Secure Renegotiation IS NOT supported
 Compression: NONE
 Expansion: NONE

I tried pretty much anything I can think of...
Do you have any suggestion of what might be the problem?

Thanks

system · September 16, 2020, 6:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat to Logstash TLS handshake failure Beats filebeat	11	3998	April 26, 2017
Filebeat TLS connect to Logstash fails Beats filebeat	5	1539	July 5, 2017
Filebeat cannot connect to Logstash using ssl. curl: (35) TCP connection reset by peer Beats filebeat	3	1650	January 14, 2020
SSL for FIlebeat -> Logstash (remote error: tls: handshake failure) Beats filebeat	4	5548	March 16, 2017
Filebeat to Logstash over SSL Logstash	6	7747	April 6, 2018

Secured connection from FIlebeat to Logstash (remote error: tls: handshake failure)

Related Topics