Using Fingerprint on metricbeat

Elastic Stack Beats
1

Hi there

i'm trying to send data using metricbeat here v8.8.2 and i'm trying to use fingerprint as replacement of certificate_authorities but i got an error like this

{"log.level":"warn","@timestamp":"2023-07-29T07:26:38.637+0700","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":186},"message":"no CA certificate matching the fingerprint","service.name":"metricbeat","ecs.version":"1.6.0"}

and here is my config:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://192.168.11.15:9200"]
  ssl:
#    enabled: true
    ca_trusted_fingerprint: '0FF09F03EEB7985D0DD95E6A450251F395958AA425F6CB2A1EC6EE39C5FDBADB'
#  ssl.certificate_authorities: ["/etc/metricbeat/ca.crt"]

i'm sure that the fingerprint is generated from the right CA certificate. but i really don't know why i can't use this fingerprint to send data to elastic. did i miss something?

[root@local certs]#  openssl x509 -fingerprint -sha256 -noout -in /elastic/elasticsearch-8.8.2/config/certs/ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'  
0FF09F03EEB7985D0DD95E6A450251F395958AA425F6CB2A1EC6EE39C5FDBADB
[root@local certs]#  openssl x509 -fingerprint -sha256 -noout -in /etc/metricbeat/ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
0FF09F03EEB7985D0DD95E6A450251F395958AA425F6CB2A1EC6EE39C5FDBADB

please help. Thanks

2

Did metricbeat connect when you used actual ca.crt?

3

Yes, that is so weird. If i define certificate_authorities, the connection to elastic was established but that's not happen when i try to use ca_trusted_fingerprint

Pada tanggal Sab, 29 Jul 2023 09.07, Stephen Brown via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis:

4

try running

metricbeat test output

with both configurations... make sure you do not changes the host URL.

5

hello @stephenb sorry for the late response. here is the output with each configuration

  • Using certificate
elasticsearch: https://192.168.100.227:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.100.227
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.8.2
  • Using fingerprint
elasticsearch: https://192.168.100.227:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.168.100.227
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... ERROR x509: certificate signed by unknown authority
6

so when you just run

openssl x509 -fingerprint -sha256 -in config/certs/http_ca.crt

What is the output

also have you tried with and without the quotes? Double Quotes...

There is something simple going on...

7

I already tried this but still got the same result

8

here is the result:

SHA256 Fingerprint=CD:FB:71:AD:DE:C7:C0:82:31:63:DF:8E:48:08:DC:C7:1B:65:A6:22:CD:7A:A0:E8:91:B8:A2:C1:10:C7:05:EB

note: sorry. this is from another server for testing. the previous ca.crt and the server was destroyed. so maybe that is quite a difference but this uses the same config as my first post

9

Confused ... the fingerprint needs to come from the actual CA?

2nd did you try without the quotes?

Not sure what is going on.

10

What does the issuer say

hyperion:certs sbrown$ openssl x509 -issuer -fingerprint -sha256 -noout -in ./http_ca.crt 
issuer=CN = Elasticsearch security auto-configuration HTTP CA
sha256 Fingerprint=1C:F1:FB:FD:EF:7D:26:C9:7B:4C:75:94:5A:3C:F7:94:51:FC:B7:F9:B0:4D:CF:52:BE:32:8A:C3:A0:99:4A:53
11

in documentation it said from CA, right? what I'm trying to say is, I made a new server to test this. and I generated a new certificate too. so if you see some unrelated information from my recent post for example the path of the certificate or something it's expected. but I can make sure i made the same config like this

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://192.168.11.15:9200"]
  ssl:
#    enabled: true
    ca_trusted_fingerprint: 'xxx'
#  ssl.certificate_authorities: ["/etc/metricbeat/ca.crt"]

quotes, double quotes, I already tried those two options

12

here:

issuer=CN = Elastic Certificate Tool Autogenerated CA
SHA256 Fingerprint=CD:FB:71:AD:DE:C7:C0:82:31:63:DF:8E:48:08:DC:C7:1B:65:A6:22:CD:7A:A0:E8:91:B8:A2:C1:10:C7:05:EB

and when I followed the command documented on the documentation, it give me result that look like this:

#openssl x509 -fingerprint -sha256 -noout -in /monitoring/elasticsearch-8.8.2/config/certs/ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
CDFB71ADDEC7C0823163DF8E4808DCC71B65A622CD7AA0E891B8A2C110C705EB
13

Yup everything looks good not sure what to tell you...

unfortunately I don't think curl works with fingerprint that would be a good test with -v

you could set TRACE debug see if you see anything more

14

shouldn't that be

/monitoring/elasticsearch-8.8.2/config/certs/http_ca.crt

The HTTP CA

hyperion:config sbrown$ cd certs/
http.p12        http_ca.crt     transport.p12
hyperion:certs sbrown$
15

I used --pem option when generating ca.crt

./bin/elasticsearch-certutil ca --pem --days 1095 --out ca.zip

so I don't use truststore and keystore

16

and you are generating the certificate from that CA?

I would try the default security process first...

I just ran through the default process end to end fingerprint worked fine.

17

Yes, i generated a certificate with that CA. Hmmm does it mean fingerprint doesn't support a certificate with pem format?

Pada tanggal Rab, 9 Agu 2023 00.47, Stephen Brown via Discuss the Elastic Stack <notifications@elastic.discoursemail.com> menulis:

18

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.