Strange bad certificate

labate · March 24, 2022, 9:42am

Dear all,

I'm facing to a serious problem. I get this following message:

filebeat[29206]: 2022-03-24T10:30:37.927+0100        ERROR        [publisher_pipeline_output]        pipeline/output.go:154        Failed to connect to backoff(async(tcp://logstash.domain.com:5044)): remote error: tls: bad certificate

This is my filebeat output:

# ------------------------------ Logstash Output -------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["logstash.domain.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
  #ssl.key: "/etc/logstash/certs/ca.key"
    # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"
  ssl.verification_mode: none
  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

This is my logstash output:

input {

    beats {
        port => "5044"
    ssl => true
    ssl_key => '/etc/logstash/certs/logstash.pkcs8.key'
    ssl_certificate => '/etc/logstash/certs/logstash.crt'
    ssl_certificate_authorities => '/etc/logstash/certs/ca.crt'
    }
}
# The filter part of this file is commented out to indicate that it is
# optional.

filter {

}
output {
    elasticsearch {
        hosts => [ "https://node2.domain.com:9200" ]
        index => "logstash-beats"
        cacert => '/etc/logstash/certs/ca.crt'
        user => "logstash"
        password => "password"
        }

}

If I test my pipeline everything is OK.

This is super strange because I have others instances of filebeat in differents servers and it's working and they are using all the same certificate. The only difference between this filebeat and others, others communicates with Elasticsearch directly.

Thanks in advance if anyone can help !

zx8086 · March 24, 2022, 9:48am

Why have you commented out the certificate and key lines in the logstash output, in filebeat, when you want to use SSL to communicate ?

labate · March 24, 2022, 11:04am

Hey,

Because it was working like that before I made a change in my instance.yml. I changed the IP to a DNS name.

And I followed this guide : Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog

This is my output of my instance.yml:

instances:
  - name: 'node1'
    dns: [ 'node1.domain.com' ]
  - name: "node2"
    dns: [ 'node2.domain.com' ]
  - name: 'kibana'
    dns: [ 'monitoring.domain.com' ]
  - name: 'logstash'
    dns: [ 'logstash.domain.com' ]
  - name: 'node3'
    dns: [ 'node3.domain.com' ]
  - name: "node4"
    dns: [ 'node4.domain.com' ]
  - name: "node5"
    dns: [ 'node5.domain.com' ]

zx8086 · March 24, 2022, 11:20am

If you are not going to use certificates by commenting them out, then you shouldn't have ssl set to true for the input. Either both sides are using certificates or none at all. What happens when you set ssl to false?

labate · March 24, 2022, 1:40pm

I would like to use ssl on my stack so between Filebeat/Logstash/Elasticsearch/Kibana. But I don't understand why all the Filebeats work via Elasticsearch and not this one with my logstash. They all use the same certificate...

You still want me to test the ssl => false?

zx8086 · March 24, 2022, 1:48pm

Troubleshooting.... rule out an SSL / TLS certificate vs connection issue

labate · March 24, 2022, 2:11pm

It's working perfectly !

But now if I would like to secure the communication with logstash: How can I do ?

I have already followed the tutorial in logstash documentation.

zx8086 · March 24, 2022, 2:59pm

So indeed the issue is with the certificates.... your output.logstash certificate and key shouldn't be commented out, you need the pass the certificate from filebeat to the logstash node.

Your logstash node is expecting the same certificate that has been passed so it can validate it. The verification mode should be certiifcate and not set to none

labate · March 24, 2022, 3:08pm

Thank you.

You mean that I need to uncomment these lines:

 #ssl.certificate: "/etc/pki/client/cert.pem"
 #ssl.key: "/etc/logstash/certs/ca.key"
# ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]

So which certificates should I put in ssl.key and ssl.certificate? On the ssl.certificate_authorities I know I have to put the same as logstash but for the other entries I don't know.

Thank you !

zx8086 · March 24, 2022, 3:14pm

Yes, the certificates you need depend on your set-up, are you using self-signed certificates?

You should have all the certificates available to you already if you followed the securing your cluster documentation. How filebeat and logstash communicate isn't dissimilar to say Kibana to Elasticsearch.. if these are working overs SSL / TLS, then the same is for your issue.

labate · March 24, 2022, 3:26pm

Yes I'm working with self-signed certificates.

I have only nodes key and crt files and ca.crt and ca.key...

Can you redirect me on the right page please ?

Thanks

zx8086 · March 24, 2022, 3:58pm

labate · March 24, 2022, 4:30pm

I can't find in your link how to create my client key and my cert pem.

I have found this link:

They said that I need a client key and pem. But where I can find it ?

zx8086 · March 24, 2022, 4:55pm

You create them here for your cluster :-

system · April 21, 2022, 4:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Ssl_certificate_authorities seems to have no effect Logstash	2	262	March 7, 2023
Cannot receive logs from Filebeat in Logstash, SSL Problem Logstash elastic-stack-security	3	548	August 14, 2020
Debug errors between filebeat and logstash Logstash	1	936	March 14, 2018
Logstash show errors for new client in log: "javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate" Elasticsearch	2	2807	March 14, 2022
Filebeat and logstash ssl config is correct? Logstash	2	214	November 15, 2022

Strange bad certificate

Related Topics