SSL config to ignore validation


(Greg Sullivan) #1

I want to encrypt the data from Filebeat to Logstash using SSL but I don't want to enforce validating the certificate. Is that possible? I am trying to avoid generating/buying a ssl for each filebeat host.

If I remove the client certs from the config logstash denies the connection
Exception: javax.net.ssl.SSLHandshakeException: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE
I have this entry in the conf file along with the othe ssl settings.
ssl_verify_mode => none
Thoughts?


(Greg Sullivan) #2

I see there isn't any verification so what I'm looking for is to not provide a client key on filebeat host.
So um nevermind? I'm now trying to hide the key file, we want to deploy filebeat at customers sites without providing the .key file. I guess I could password protect it?


(Tim Vernum) #3

Filebeat shouldn't need a key. You can enable TLS (SSL) on the Logstash side, without Beats needing to have its own key.

Keys are only needed if you want to use them as an authentication method between Beats and Logstash. Perhaps you want to use TLS for that, but if you do, then keys become unavoidable - that's how TLS certificate-based authentication works.


(Greg Sullivan) #4

I tried filebeat without any ssl configured and got an Exception: not an SSL/TLS record: xxxx....
Logstash beat config,
ssl => true
ssl_key => "c:\logstash\Config\logstashdev1.key"
ssl_certificate => "c:\logstash\Config\logstashdev1.crt"
ssl_certificate_authorities => "c:\logstash\Config\ca.cer"
ssl_verify_mode => none
Then I tried
protocol: "https" in filebeat.yml
and filebeat shows, Failed to publish events caused by: client is not connected.
Am I missing anything?
Thanks


(Tim Vernum) #5

Sorry, my previous post wasn't very clear. You definitely need to configure SSL, but you shouldn't need the key.

It looks like your logstash configuration is correct (although ssl_certificate_authorities is redundant since you're not using client verification).

What I suspect you're missing on the beats side is the certificate authority.
Your filebeat configuration should look something like:

output.logstash:
  hosts: ["logstash.example.net:5044"]
  ssl.certificate_authorities: ["c:\filebeat\Config\logstash-ca.cer"]

(Greg Sullivan) #6

I had to remove the CA from logstash for it to work,
I'm good to go now
Thanks


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.