Unable to start pipeline after SSL implementation

gdamico · September 23, 2019, 3:47pm

Hi,

I'm trying to enable SSL on my demo logstash installation, but after applying the documented settings the demo pipeline is unable to start, because of an certificate format error (that´s what log says).

I already read this post, which seems to be be related to an similar problem, but I can´t find the solution:

Logstash can’t establish pipeline with ssl

The log:

root@gian-sandbox-vm:/usr/share/logstash# bin/logstash -f /etc/logstash/conf.d/demo-metrics-pipeline.conf

...
[ERROR] 2019-09-23 08:56:10.286 [[main]-pipeline-manager] javapipeline - Pipeline aborted due to error {:pipeline_id=>"main", :exception=>java.security.cert.CertificateException: Unable to initialize, **java.io.IOException: Short read of DER length**, :backtrace=>["sun.security.x509.X509CertImpl.<init>(sun/security/x509/X509CertImpl.java:198)", "sun.security.provider.X509Factory.parseX509orPKCS7Cert(sun/security/provider/X509Factory.java:471)",    
...

Pipeline conf file:

input {
  beats {
    port => 5044
  # Commented out for problem isolation purposes
  #  ssl =>true
  #  ssl_certificate_authorities => ["/etc/logstash/ca/ca.crt"]
  #  ssl_certificate => "/etc/logstash/certs/logstash/logstash.crt"
  #  ssl_key => "/etc/logstash/certs/logstash/logstash.key"
  #  ssl_verify_mode => "force_peer"
  }
}

filter {
  if [system][process] {
    if [system][process][cmdline] {
      grok {
        match => {
          "[system][process][cmdline]" => "^%{PATH:[system][process][cmdline_path]}"
        }
        remove_field => "[system][process][cmdline]"
      }
    }
  }
}

output {
  elasticsearch {
    hosts => "https://localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    user => "logstash_internal"
    password => "p@ssW0rd"
    ssl => true
    cacert => "/usr/share/elasticsearch/elastic-stack-ca.pem" 
  }
}

This is the same CA I'm succesfully using in eslasticsearch and kibana:

root@gian-sandbox-vm:/usr/share/logstash# openssl x509 -in /usr/share/elasticsearch/elastic-stack-ca.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            34:2a:c1:f9:ac:ae:cb:49:74:eb:3c:fc:b2:3c:1f:bb:03:78:0d:c1
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = Elastic Certificate Tool Autogenerated CA
        Validity
            Not Before: Sep 11 19:03:37 2019 GMT
            Not After : Sep 10 19:03:37 2022 GMT
        Subject: CN = Elastic Certificate Tool Autogenerated CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a6:e4:b3:40:ac:05:41:8c:91:cc:bc:ba:52:37:
                    c8:0c:5c:08:68:99:b0:47:cb:b2:89:bb:2d:73:48:
                    1d:de:26:3a:82:7a:eb:56:b2:d3:90:c2:f1:f2:24:
                    b8:05:7d:87:ed:cf:f4:b5:96:be:db:a0:30:4e:a0:
                    bc:72:c5:c2:0d:5c:8c:85:f3:96:5a:56:22:ab:0a:
                    e1:43:9a:9b:e0:23:4d:61:a8:90:91:23:11:69:a1:
                    f0:15:3c:f3:d6:5d:1c:1e:fb:b7:9a:9a:4d:fa:3e:
                    ff:d0:a0:71:47:b0:1b:ff:48:87:b2:4a:4f:63:d6:
                    d0:06:49:fa:6a:4b:e6:22:9f:c8:c1:4d:5a:76:89:
                    75:91:7f:e4:e4:72:64:2b:14:50:54:63:36:a4:44:
                    11:da:bb:da:77:7c:d0:7c:fd:6d:17:40:de:15:3f:
                    d9:d7:86:52:55:8d:9f:3c:e0:db:40:a3:0b:01:e3:
                    00:36:81:4c:87:b8:be:3c:72:4f:82:d8:1b:2f:50:
                    c4:3a:f6:75:56:db:ae:38:19:08:b8:11:ce:7c:a9:
                    15:3e:e7:28:78:a3:c6:ca:ea:89:62:f0:72:82:da:
                    5c:a2:4e:2f:96:f9:c7:ad:d6:3a:ec:da:7b:3f:91:
                    46:a6:06:33:40:6d:98:41:0f:f4:63:9f:c3:59:8f:
                    d8:23
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                9A:19:6A:F0:6A:78:33:1F:CC:5A:05:CA:D0:BB:E9:0C:29:6A:7F:D4
            X509v3 Authority Key Identifier: 
                keyid:9A:19:6A:F0:6A:78:33:1F:CC:5A:05:CA:D0:BB:E9:0C:29:6A:7F:D4

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         a3:7b:e5:15:ab:e4:1d:c1:85:dc:ef:1d:3f:ce:b2:13:7f:2e:
         93:ff:dd:ec:ba:bd:93:89:ac:9d:56:46:84:b2:36:71:b1:97:
         69:3d:6f:51:6c:05:4d:79:a7:81:b8:ca:e0:23:06:20:4f:68:
         3f:23:d2:73:07:69:96:e0:42:a5:f6:8a:b3:f7:3e:d8:87:ee:
         58:90:ae:e7:5b:64:2d:71:81:49:67:be:41:20:a4:32:b5:f4:
         71:47:f6:0b:c7:bf:f2:1f:68:08:4c:05:60:25:45:47:4d:99:
         d1:d4:a6:bc:39:53:eb:e4:4a:fc:76:22:39:d3:65:4c:ba:2a:
         a7:b2:3e:9f:7b:87:9b:8a:60:1a:90:ad:31:34:7f:00:dd:e9:
         42:ef:7e:9a:b6:64:38:84:8d:8e:53:fe:bc:27:5e:3f:98:2b:
         85:dd:67:69:6a:ab:78:b0:fa:51:65:83:f2:60:2b:2b:39:e7:
         82:8c:0a:b7:85:bc:7b:0e:60:a4:84:d6:4c:53:8f:22:7c:6f:
         27:63:52:2b:9d:63:89:98:8a:16:33:b0:b9:b4:a9:5d:93:ff:
         c4:7b:9f:9c:54:c6:f3:23:8e:0e:fc:31:64:c3:77:d4:bd:fa:
         5a:a0:61:dc:08:36:a4:93:31:de:8b:9e:88:c9:41:be:77:55:
         90:31:03:ca

This is how the CA was exported from PKCS12 to PEM:

openssl pkcs12 -in elastic-stack-ca.p12 -out elastic-stack-ca.pem

Thanks in advance.

system · October 21, 2019, 4:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.