Strange bad certificate

Dear all,

I'm facing to a serious problem. I get this following message:

filebeat[29206]: 2022-03-24T10:30:37.927+0100        ERROR        [publisher_pipeline_output]        pipeline/output.go:154        Failed to connect to backoff(async(tcp://logstash.domain.com:5044)): remote error: tls: bad certificate

This is my filebeat output:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["logstash.domain.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
  #ssl.key: "/etc/logstash/certs/ca.key"
    # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"
  ssl.verification_mode: none
  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"


This is my logstash output:

input {

    beats {
        port => "5044"
    ssl => true
    ssl_key => '/etc/logstash/certs/logstash.pkcs8.key'
    ssl_certificate => '/etc/logstash/certs/logstash.crt'
    ssl_certificate_authorities => '/etc/logstash/certs/ca.crt'
    }
}
# The filter part of this file is commented out to indicate that it is
# optional.

filter {

}
output {
    elasticsearch {
        hosts => [ "https://node2.domain.com:9200" ]
        index => "logstash-beats"
        cacert => '/etc/logstash/certs/ca.crt'
        user => "logstash"
        password => "password"
        }

}

If I test my pipeline everything is OK.

This is super strange because I have others instances of filebeat in differents servers and it's working and they are using all the same certificate. The only difference between this filebeat and others, others communicates with Elasticsearch directly.

Thanks in advance if anyone can help !

Why have you commented out the certificate and key lines in the logstash output, in filebeat, when you want to use SSL to communicate ?

Hey,

Because it was working like that before I made a change in my instance.yml. I changed the IP to a DNS name.

And I followed this guide : Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog

This is my output of my instance.yml:

instances:
  - name: 'node1'
    dns: [ 'node1.domain.com' ]
  - name: "node2"
    dns: [ 'node2.domain.com' ]
  - name: 'kibana'
    dns: [ 'monitoring.domain.com' ]
  - name: 'logstash'
    dns: [ 'logstash.domain.com' ]
  - name: 'node3'
    dns: [ 'node3.domain.com' ]
  - name: "node4"
    dns: [ 'node4.domain.com' ]
  - name: "node5"
    dns: [ 'node5.domain.com' ]

If you are not going to use certificates by commenting them out, then you shouldn't have ssl set to true for the input. Either both sides are using certificates or none at all. What happens when you set ssl to false?

I would like to use ssl on my stack so between Filebeat/Logstash/Elasticsearch/Kibana. But I don't understand why all the Filebeats work via Elasticsearch and not this one with my logstash. They all use the same certificate...

You still want me to test the ssl => false?

Troubleshooting.... rule out an SSL / TLS certificate vs connection issue

It's working perfectly !

But now if I would like to secure the communication with logstash: How can I do ?

I have already followed the tutorial in logstash documentation.

So indeed the issue is with the certificates.... your output.logstash certificate and key shouldn't be commented out, you need the pass the certificate from filebeat to the logstash node.

Your logstash node is expecting the same certificate that has been passed so it can validate it. The verification mode should be certiifcate and not set to none

Thank you.

You mean that I need to uncomment these lines:

 #ssl.certificate: "/etc/pki/client/cert.pem"
 #ssl.key: "/etc/logstash/certs/ca.key"
# ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]

So which certificates should I put in ssl.key and ssl.certificate? On the ssl.certificate_authorities I know I have to put the same as logstash but for the other entries I don't know.

Thank you !

Yes, the certificates you need depend on your set-up, are you using self-signed certificates?

You should have all the certificates available to you already if you followed the securing your cluster documentation. How filebeat and logstash communicate isn't dissimilar to say Kibana to Elasticsearch.. if these are working overs SSL / TLS, then the same is for your issue.

Yes I'm working with self-signed certificates.

I have only nodes key and crt files and ca.crt and ca.key...

Can you redirect me on the right page please ?

Thanks

I can't find in your link how to create my client key and my cert pem.

I have found this link:

They said that I need a client key and pem. But where I can find it ? :smiley:

You create them here for your cluster :-

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.