Unable to start pipeline after SSL implementation

Elastic Stack Logstash
1

Hi,

I'm trying to enable SSL on my demo logstash installation, but after applying the documented settings the demo pipeline is unable to start, because of an certificate format error (that´s what log says).

I already read this post, which seems to be be related to an similar problem, but I can´t find the solution:

Logstash can’t establish pipeline with ssl

The log:

root@gian-sandbox-vm:/usr/share/logstash# bin/logstash -f /etc/logstash/conf.d/demo-metrics-pipeline.conf

...
[ERROR] 2019-09-23 08:56:10.286 [[main]-pipeline-manager] javapipeline - Pipeline aborted due to error {:pipeline_id=>"main", :exception=>java.security.cert.CertificateException: Unable to initialize, **java.io.IOException: Short read of DER length**, :backtrace=>["sun.security.x509.X509CertImpl.<init>(sun/security/x509/X509CertImpl.java:198)", "sun.security.provider.X509Factory.parseX509orPKCS7Cert(sun/security/provider/X509Factory.java:471)",    
...

Pipeline conf file:

input {
  beats {
    port => 5044
  # Commented out for problem isolation purposes
  #  ssl =>true
  #  ssl_certificate_authorities => ["/etc/logstash/ca/ca.crt"]
  #  ssl_certificate => "/etc/logstash/certs/logstash/logstash.crt"
  #  ssl_key => "/etc/logstash/certs/logstash/logstash.key"
  #  ssl_verify_mode => "force_peer"
  }
}

filter {
  if [system][process] {
    if [system][process][cmdline] {
      grok {
        match => {
          "[system][process][cmdline]" => "^%{PATH:[system][process][cmdline_path]}"
        }
        remove_field => "[system][process][cmdline]"
      }
    }
  }
}

output {
  elasticsearch {
    hosts => "https://localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "logstash_internal"
    password => "p@ssW0rd"
    ssl => true
    cacert => "/usr/share/elasticsearch/elastic-stack-ca.pem" 
  }
}

This is the same CA I'm succesfully using in eslasticsearch and kibana:

root@gian-sandbox-vm:/usr/share/logstash# openssl x509 -in /usr/share/elasticsearch/elastic-stack-ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            34:2a:c1:f9:ac:ae:cb:49:74:eb:3c:fc:b2:3c:1f:bb:03:78:0d:c1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Elastic Certificate Tool Autogenerated CA
        Validity
            Not Before: Sep 11 19:03:37 2019 GMT
            Not After : Sep 10 19:03:37 2022 GMT
        Subject: CN = Elastic Certificate Tool Autogenerated CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:e4:b3:40:ac:05:41:8c:91:cc:bc:ba:52:37:
                    c8:0c:5c:08:68:99:b0:47:cb:b2:89:bb:2d:73:48:
                    1d:de:26:3a:82:7a:eb:56:b2:d3:90:c2:f1:f2:24:
                    b8:05:7d:87:ed:cf:f4:b5:96:be:db:a0:30:4e:a0:
                    bc:72:c5:c2:0d:5c:8c:85:f3:96:5a:56:22:ab:0a:
                    e1:43:9a:9b:e0:23:4d:61:a8:90:91:23:11:69:a1:
                    f0:15:3c:f3:d6:5d:1c:1e:fb:b7:9a:9a:4d:fa:3e:
                    ff:d0:a0:71:47:b0:1b:ff:48:87:b2:4a:4f:63:d6:
                    d0:06:49:fa:6a:4b:e6:22:9f:c8:c1:4d:5a:76:89:
                    75:91:7f:e4:e4:72:64:2b:14:50:54:63:36:a4:44:
                    11:da:bb:da:77:7c:d0:7c:fd:6d:17:40:de:15:3f:
                    d9:d7:86:52:55:8d:9f:3c:e0:db:40:a3:0b:01:e3:
                    00:36:81:4c:87:b8:be:3c:72:4f:82:d8:1b:2f:50:
                    c4:3a:f6:75:56:db:ae:38:19:08:b8:11:ce:7c:a9:
                    15:3e:e7:28:78:a3:c6:ca:ea:89:62:f0:72:82:da:
                    5c:a2:4e:2f:96:f9:c7:ad:d6:3a:ec:da:7b:3f:91:
                    46:a6:06:33:40:6d:98:41:0f:f4:63:9f:c3:59:8f:
                    d8:23
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                9A:19:6A:F0:6A:78:33:1F:CC:5A:05:CA:D0:BB:E9:0C:29:6A:7F:D4
            X509v3 Authority Key Identifier: 
                keyid:9A:19:6A:F0:6A:78:33:1F:CC:5A:05:CA:D0:BB:E9:0C:29:6A:7F:D4

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         a3:7b:e5:15:ab:e4:1d:c1:85:dc:ef:1d:3f:ce:b2:13:7f:2e:
         93:ff:dd:ec:ba:bd:93:89:ac:9d:56:46:84:b2:36:71:b1:97:
         69:3d:6f:51:6c:05:4d:79:a7:81:b8:ca:e0:23:06:20:4f:68:
         3f:23:d2:73:07:69:96:e0:42:a5:f6:8a:b3:f7:3e:d8:87:ee:
         58:90:ae:e7:5b:64:2d:71:81:49:67:be:41:20:a4:32:b5:f4:
         71:47:f6:0b:c7:bf:f2:1f:68:08:4c:05:60:25:45:47:4d:99:
         d1:d4:a6:bc:39:53:eb:e4:4a:fc:76:22:39:d3:65:4c:ba:2a:
         a7:b2:3e:9f:7b:87:9b:8a:60:1a:90:ad:31:34:7f:00:dd:e9:
         42:ef:7e:9a:b6:64:38:84:8d:8e:53:fe:bc:27:5e:3f:98:2b:
         85:dd:67:69:6a:ab:78:b0:fa:51:65:83:f2:60:2b:2b:39:e7:
         82:8c:0a:b7:85:bc:7b:0e:60:a4:84:d6:4c:53:8f:22:7c:6f:
         27:63:52:2b:9d:63:89:98:8a:16:33:b0:b9:b4:a9:5d:93:ff:
         c4:7b:9f:9c:54:c6:f3:23:8e:0e:fc:31:64:c3:77:d4:bd:fa:
         5a:a0:61:dc:08:36:a4:93:31:de:8b:9e:88:c9:41:be:77:55:
         90:31:03:ca

This is how the CA was exported from PKCS12 to PEM:

openssl pkcs12 -in elastic-stack-ca.p12 -out elastic-stack-ca.pem

Thanks in advance.

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.