Using logstash elasticsearch output over HTTPS

Hello,

I've set up elasticsearch with shield, and I am now using HTTPS to access the REST API. I've also set up Kibana, and I am connecting via HTTPS to elasticsearch. I'm having some trouble with the Logstash part though.
We are using our own CA within our organization. The .CER file used here in the Logstash configuration below is working just fine with Kibana. With logstash, however, it doesn't.

My Logstash output config:

output {
      elasticsearch {
        user => logstash
        password => xxx
        hosts => [ "https://l1807s.sss.se.scania.com:9200/" ]
        index => "logstash-flex-%{+YYYY.MM.dd}"
        cacert => "/opt/logstash-2.3.1/ScaniaRootCA02.cer"
      }
}

The elasticsearch keystore contains the following:

Certificate[1]:
Owner: CN=l1807s.sss.se.scania.com, OU=Scania IT AB, O=Scania CV AB, L=Sodertalje, ST=Sthlm, C=SE
Issuer: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 4f000000ca83f5005a2b5d8bf60000000000ca
Valid from: 5/27/16 12:37 PM until: 5/26/20 12:37 PM

Certificate[2]:
Owner: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 160000000305d81efb0160df0d000000000003
Valid from: 11/25/15 2:31 PM until: 11/25/23 2:41 PM

Certificate[3]:
Owner: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 6964eb0422c6709445ad5f989542d72a
Valid from: 11/24/15 6:38 PM until: 11/24/31 6:48 PM

The file /opt/logstash-2.3.1/ScaniaRootCA02.cer referenced in the Logstash configuration contains the certificate for SCANIA-ROOT-CA-02.

The error that I'm getting from Logstash is PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Thanks for any ideas.

Dan

Update: sadly, I get the same error even after adding the option ssl_certificate_verification => false, so no temporary workaround for me.

Solved: I needed to specify ssl => true explicitly in the config file. This is somewhat contradictory to the documentation.

I opened issue https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/433 to address this.

1 Like