SSL error

Elastic Stack Logstash
1

I've installed elasticsearch, logstash and metricbeat in my local Windows machine (all 7.7 version). The first thing I did was run .\bin\elasticsearch-certutil cert --pem --pass secret to get ca.crt - instance.crt - instance.key to copy on logstash and metricbeat respectively.

But the problem is that my configuration of logstash pass the test config but fails when I start running it.

logstash.yml:

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.ssl.certificate_authority: "C:/..location../ca.crt"
xpack.monitoring.elasticsearch.ssl.truststore.path: C:/..location../instance.crt
xpack.monitoring.elasticsearch.ssl.truststore.password: secret
xpack.monitoring.elasticsearch.ssl.keystore.path: C:/..location../instance.key
xpack.monitoring.elasticsearch.ssl.keystore.password: secret
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

filter.conf:

input{
beats{
port => 9333
ssl => true
ssl_key => 'C:/..location../instance.key'
ssl_certificate => 'C:/..location../instance.crt'
ssl_verify_mode => "force_peer"
}
}
output {
stdout{}
}

The log file:

[2020-05-26T10:53:42,252][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-05-26T10:53:42,366][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"7.7.0"}
[2020-05-26T10:53:43,217][ERROR][logstash.licensechecker.licensereader] Unable to retrieve license information from license server {:message=>"Use either "cacert" or "truststore" when configuring the CA certificate"}
[2020-05-26T10:53:43,299][ERROR][logstash.monitoring.internalpipelinesource] Failed to fetch X-Pack information from Elasticsearch. This is likely due to failure to reach a live Elasticsearch cluster.

Do you need more details? What is going on with this error?

2

if you’re using untrusted ca, you need to reference that ca using cacert directive in the output definition. something like :

cacert => “path_to_ca_file”

3

Logstash do not recognize it, see the error when I test the configuration:

[2020-05-29T20:42:45,610][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-05-29T20:42:46,720][INFO ][org.reflections.Reflections] Reflections took 35 ms to scan 1 urls, producing 21 keys and 41 values
[2020-05-29T20:42:47,012][ERROR][logstash.inputs.beats    ] Unknown setting 'cacert' for beats
[2020-05-29T20:42:47,024][FATAL][logstash.runner          ] The given configuration is invalid. Reason: Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.
[2020-05-29T20:42:47,028][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit
4

are you trying to setup ssl between beats and logstash, or between logstash and elasticsearch?

this directives is used for setting up logstash to listen to beat inputs in ssl mode

this directive is for logstash monitoring where monitoring data is sent to elasticsearch.

5

This is my case.

6

then you should disable this for now.

7

I just did this, I'm still getting the same error

[2020-05-31T10:27:44,227][ERROR][logstash.inputs.beats    ] Unknown setting 'cacert' for beats
[2020-05-31T10:27:44,238][FATAL][logstash.runner          ] The given configuration is invalid. Reason: Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.
[2020-05-31T10:27:44,242][ERROR][org.logstash.Logstash    ] java.lang.IllegalStateException: Logstash stopped processing because of an error: (SystemExit) exit

My actual configuration

xpack.monitoring.elasticsearch.ssl.truststore.path: C:/..location../instance.crt
xpack.monitoring.elasticsearch.ssl.truststore.password: secret
xpack.monitoring.elasticsearch.ssl.keystore.path: C:/..location../instance.key
xpack.monitoring.elasticsearch.ssl.keystore.password: secret
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate

And the filter

input{
  beats{
    port => 9333
    ssl => true
    ssl_key => 'C:/..location../instance.key'
    ssl_certificate => 'C:/..location../instance.crt'
	ssl_verify_mode => 'force_peer'
	cacert => 'C:/..location../ca.crt'
  }
}

output {
  stdout{}
}
8

don’t use cacert directives for beats input. it’s used in elasticsearch output section. i misread your configuration, i thought you’re sending output to elasticsearch, but your config is sending to stdout, so remove the cacert from beats input

do you need logstash monitoring? this config is logstash monitoring where monitoring data is sent do elasticsearch.

9

I did this and get a good response from config.test_and_exit

[2020-06-02T07:58:58,686][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-06-02T07:58:59,744][INFO ][org.reflections.Reflections] Reflections took 46 ms to scan 1 urls, producing 21 keys and 41 values
Configuration OK
[2020-06-02T07:59:01,125][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

But when I start logstash I get another error, like this:

[2020-06-02T08:00:35,906][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2020-06-02T08:00:35,999][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"7.7.0"}
[2020-06-02T08:00:37,432][INFO ][org.reflections.Reflections] Reflections took 31 ms to scan 1 urls, producing 21 keys and 41 values 
[2020-06-02T08:00:38,784][WARN ][org.logstash.instrument.metrics.gauge.LazyDelegatingGauge][main] A gauge metric of an unknown type (org.jruby.RubyArray) has been created for key: cluster_uuids. This may result in invalid serialization.  It is recommended to log an issue to the responsible developer/development team.
[2020-06-02T08:00:38,800][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["C:/..location../filtro0.conf"], :thread=>"#<Thread:0x211d53d run>"}
[2020-06-02T08:00:39,557][ERROR][logstash.javapipeline    ][main] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`>, :backtrace=>["C:/..location../vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.9-java/lib/logstash/inputs/beats.rb:143:in `register'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:216:in `block in register_plugins'", "org/jruby/RubyArray.java:1809:in `each'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:215:in `register_plugins'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:327:in `start_inputs'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:287:in `start_workers'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:170:in `run'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:125:in `block in start'"], "pipeline.sources"=>["C:/..location../filtro0.conf"], :thread=>"#<Thread:0x211d53d run>"}
[2020-06-02T08:00:39,589][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2020-06-02T08:00:39,876][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2020-06-02T08:00:43,157][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["C:/..location../filtro0.conf"], :thread=>"#<Thread:0x3f3cea69 run>"}
[2020-06-02T08:00:43,328][ERROR][logstash.javapipeline    ][main] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`>, :backtrace=>["C:/..location../vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.9-java/lib/logstash/inputs/beats.rb:143:in `register'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:216:in `block in register_plugins'", "org/jruby/RubyArray.java:1809:in `each'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:215:in `register_plugins'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:327:in `start_inputs'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:287:in `start_workers'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:170:in `run'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:125:in `block in start'"], "pipeline.sources"=>["C:/..location../filtro0.conf"], :thread=>"#<Thread:0x3f3cea69 run>"}
[2020-06-02T08:00:43,360][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2020-06-02T08:00:46,005][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["C:/..location../filtro0.conf"], :thread=>"#<Thread:0x785d6789 run>"}
[2020-06-02T08:00:46,161][ERROR][logstash.javapipeline    ][main] Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Using `verify_mode` set to PEER or FORCE_PEER, requires the configuration of `certificate_authorities`>, :backtrace=>["C:/..location../vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.9-java/lib/logstash/inputs/beats.rb:143:in `register'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:216:in `block in register_plugins'", "org/jruby/RubyArray.java:1809:in `each'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:215:in `register_plugins'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:327:in `start_inputs'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:287:in `start_workers'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:170:in `run'", "C:/..location../logstash-core/lib/logstash/java_pipeline.rb:125:in `block in start'"], "pipeline.sources"=>["C:/..location../filtro0.conf"], :thread=>"#<Thread:0x785d6789 run>"}

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

I don't need this so I commented it

10

it’s mentioned in the log that if you’re using force_peer verify mode, you need to provide certificate_authorities

more info in the docs

11

I just provide it, and works after I convert

to a PKCS#8 format with

[root@node1 logstash]# openssl pkcs8 -in config/certs/logstash.key -topk8 -nocrypt -out config/certs/logstash.pkcs8.key

But I can't still get it running, now I have the error SSLV3_ALERT_BAD_CERTIFICATE, but I think this belong to another post, after I read all the previous about this error.

Anyways, THANK YOU A LOT!!!

12

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.