Are you sure? Based on the error message, that is extremely unlikely to be true.
Received fatal alert: bad_certificate means that the other side of the connection rejected this side's certificate (but the TLS handshaking protocol doesn't provide a way for the reason to be included, so all we know is that something is wrong with the certificate).
So if logstash is reporting this in its log file, then some other process that it is communicating with is rejecting logstash's certificate. That other process should be providing details of that rejection in its own log file. It is almost impossible to diagnose this from the logstash side because the details are all on the other side.
So, either:
- This error you posted is from the Elasticsearch log, which means something (probably Logstash) is rejecting Elasticsearch's certificate, and we need to find the log file that gives us the detail
- Beats is rejecting Logstash's certificate (which might be the case - you haven't shown any beats configuration), but we would expect the logs for filebeat to provide an explanation of the problem.
- Elasticearch is rejecting Logstash's certificate, but based on the configuration you've posted Elasticsearch isn't requesting a certificate from Logstash, so this is unlikely.
My guess is it's option 2.
Can you:
- Double check the log files for any beats you are running.
- Post the config you're using for filebeat (or any other beats)