Using logstash elasticsearch output over HTTPS

dandrestor · May 30, 2016, 12:42pm

Hello,

I've set up elasticsearch with shield, and I am now using HTTPS to access the REST API. I've also set up Kibana, and I am connecting via HTTPS to elasticsearch. I'm having some trouble with the Logstash part though.
We are using our own CA within our organization. The .CER file used here in the Logstash configuration below is working just fine with Kibana. With logstash, however, it doesn't.

My Logstash output config:

output {
      elasticsearch {
        user => logstash
        password => xxx
        hosts => [ "https://l1807s.sss.se.scania.com:9200/" ]
        index => "logstash-flex-%{+YYYY.MM.dd}"
        cacert => "/opt/logstash-2.3.1/ScaniaRootCA02.cer"
      }
}

The elasticsearch keystore contains the following:

Certificate[1]:
Owner: CN=l1807s.sss.se.scania.com, OU=Scania IT AB, O=Scania CV AB, L=Sodertalje, ST=Sthlm, C=SE
Issuer: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 4f000000ca83f5005a2b5d8bf60000000000ca
Valid from: 5/27/16 12:37 PM until: 5/26/20 12:37 PM

Certificate[2]:
Owner: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 160000000305d81efb0160df0d000000000003
Valid from: 11/25/15 2:31 PM until: 11/25/23 2:41 PM

Certificate[3]:
Owner: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 6964eb0422c6709445ad5f989542d72a
Valid from: 11/24/15 6:38 PM until: 11/24/31 6:48 PM

The file /opt/logstash-2.3.1/ScaniaRootCA02.cer referenced in the Logstash configuration contains the certificate for SCANIA-ROOT-CA-02.

The error that I'm getting from Logstash is PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Thanks for any ideas.

Dan

Update: sadly, I get the same error even after adding the option ssl_certificate_verification => false, so no temporary workaround for me.

dandrestor · May 31, 2016, 11:26am

Solved: I needed to specify ssl => true explicitly in the config file. This is somewhat contradictory to the documentation.

I opened issue https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/433 to address this.

Topic		Replies	Views
Logstash SSL/TLS error Logstash	1	343	October 3, 2023
Logstash unable to connect to Elasticsearch over https Logstash	7	1782	January 17, 2022
Logstash output to elasticsearch - SSL Logstash	2	13982	January 8, 2020
Certificates and keys for Kibana and Logstash with X-Pack Elasticsearch elastic-stack-security	12	13086	November 8, 2018
Kibana can't connect to elasticsearch using self signed certificates Kibana	2	13352	March 9, 2022

Using logstash elasticsearch output over HTTPS

Related Topics