Hi
I ran out of ideas.
I have kibana (my wildcard cert, *.hostname.net). Kibana is ok.
kibana.yml
server.publicBaseUrl: "https://kibanaprod.hostname.net"
elasticsearch.hosts: ["https://elkprod1.hostname.net:9200", "https://elkprod2.hostname.net:9200", "https://elkprod3.hostname.net:9200", "https://elkprod4.hostname.net:9200","https://elkprod5.hostname.net:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "psw"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/hostname.net_cert.cer
server.ssl.key: /etc/kibana/hostname.net.key
elasticsearch.ssl.certificate: /etc/kibana/hostname.net_cert.cer
elasticsearch.ssl.key: /etc/kibana/hostname.net.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/MyCA.cer" ]
elasticsearch.ssl.verificationMode: full
I have 4 elastic node, they comunicate in tls using my real wildcard cert. And they work..
elasticsearch.yml
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
key: certs/hostname.net.key
certificate: certs/hostname.net_cert.cer
certificate_authorities: certs/MyCa.cer
verification_mode: certificate
xpack.security.transport.ssl:
enabled: true
key: certs/hostname.net.key
certificate: certs/hostname.net_cert.cer
certificate_authorities: certs/MyCa.cer
verification_mode: certificate
logstash didn't work, i have an error:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
I configure logstash on logstash.yml and i think that this configuration are ok because logstash comunication with elks use my wildcard cert.
logstash.yml:
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: psw
xpack.monitoring.elasticsearch.hosts: ["https://elkprod1.hostname.net:9200", "https://elkprod2.hostname.net:9200", "https://elkprod3.hostname.net:9200", "https://elkprod4.hostname.net:9200","https://elkprod5.hostname.net:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/etc/logstash/certs/MyCa.cer"
now i explain my probably problem.
I can't use my wildcard with all my vms (that use different certs) so i would use selfsigned cert between logstash and filebeat (I deploy that on single "other" vms).
So I used certutils on my first elk node, it used like my ca selfsigned. So i have ca.crt and ca.key (on elk1), on elk1 I generate cert for logstash (logstash.crt and logstash.key -> logstash.pkcs8.key)
using this command:
./bin/elasticsearch-certutil ca --pem --> gen ca cert/key
./bin/elasticsearch-certutil cert --name logstash-prod --ca-cert ca.crt --ca-key ca.key --ip 10.1.1.190 --pem --> gen logstash crt/key
then I copy on logstash the ca.crt
my pipeline config:
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => [ "ca.crt" ]
ssl_certificate => "logstash.crt"
ssl_key => "logstash.pkcs8.key"
}
}
filter{doesn't matter}
output {
elasticsearch {
hosts => ["https://elkprod1.hostname.net:9200", "https://elkprod2.hostname.net:9200", "https://elkprod3.hostname.net:9200", "https://elkprod4.hostname.net:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}-%{[service][type]}"
action => "create"
user => "elastic"
password => "psw"
cacert => "MyCA.cer"
}
}
and when it will work i will install filebeat on "other" vm I generate crt/key on elk1 and copy that only ca.crt and cert/key selfsigned
On my dev env (elk7) it works, obviusly but I am not able with prod env (elk8)