Using logstash elasticsearch output over HTTPS

dandrestor · May 30, 2016, 12:42pm

Hello,

I've set up elasticsearch with shield, and I am now using HTTPS to access the REST API. I've also set up Kibana, and I am connecting via HTTPS to elasticsearch. I'm having some trouble with the Logstash part though.
We are using our own CA within our organization. The .CER file used here in the Logstash configuration below is working just fine with Kibana. With logstash, however, it doesn't.

My Logstash output config:

output {
      elasticsearch {
        user => logstash
        password => xxx
        hosts => [ "https://l1807s.sss.se.scania.com:9200/" ]
        index => "logstash-flex-%{+YYYY.MM.dd}"
        cacert => "/opt/logstash-2.3.1/ScaniaRootCA02.cer"
      }
}

The elasticsearch keystore contains the following:

Certificate[1]:
Owner: CN=l1807s.sss.se.scania.com, OU=Scania IT AB, O=Scania CV AB, L=Sodertalje, ST=Sthlm, C=SE
Issuer: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 4f000000ca83f5005a2b5d8bf60000000000ca
Valid from: 5/27/16 12:37 PM until: 5/26/20 12:37 PM

Certificate[2]:
Owner: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 160000000305d81efb0160df0d000000000003
Valid from: 11/25/15 2:31 PM until: 11/25/23 2:41 PM

Certificate[3]:
Owner: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 6964eb0422c6709445ad5f989542d72a
Valid from: 11/24/15 6:38 PM until: 11/24/31 6:48 PM

The file /opt/logstash-2.3.1/ScaniaRootCA02.cer referenced in the Logstash configuration contains the certificate for SCANIA-ROOT-CA-02.

The error that I'm getting from Logstash is PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Thanks for any ideas.

Dan

Update: sadly, I get the same error even after adding the option ssl_certificate_verification => false, so no temporary workaround for me.

dandrestor · May 31, 2016, 11:26am

Solved: I needed to specify ssl => true explicitly in the config file. This is somewhat contradictory to the documentation.

I opened issue https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/433 to address this.

Topic		Replies	Views
Logstash to Elasticsearch over SSL Configuration Logstash	3	13072	November 16, 2017
Using certificates on logstash output plugin Logstash	5	1604	June 21, 2020
Logstash output to Elasticsearch SSL 6.3 issue Logstash elastic-stack-security	2	760	January 2, 2019
Logstash SSL/TLS error Logstash	1	349	October 3, 2023
Logstash unable to connect to Elasticsearch over https Logstash	7	1803	January 17, 2022

Using logstash elasticsearch output over HTTPS

Related topics