Hello,
I've set up elasticsearch with shield, and I am now using HTTPS to access the REST API. I've also set up Kibana, and I am connecting via HTTPS to elasticsearch. I'm having some trouble with the Logstash part though.
We are using our own CA within our organization. The .CER file used here in the Logstash configuration below is working just fine with Kibana. With logstash, however, it doesn't.
My Logstash output config:
output {
elasticsearch {
user => logstash
password => xxx
hosts => [ "https://l1807s.sss.se.scania.com:9200/" ]
index => "logstash-flex-%{+YYYY.MM.dd}"
cacert => "/opt/logstash-2.3.1/ScaniaRootCA02.cer"
}
}
The elasticsearch keystore contains the following:
Certificate[1]:
Owner: CN=l1807s.sss.se.scania.com, OU=Scania IT AB, O=Scania CV AB, L=Sodertalje, ST=Sthlm, C=SE
Issuer: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 4f000000ca83f5005a2b5d8bf60000000000ca
Valid from: 5/27/16 12:37 PM until: 5/26/20 12:37 PM
Certificate[2]:
Owner: CN=SCANIA-ISSUING-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 160000000305d81efb0160df0d000000000003
Valid from: 11/25/15 2:31 PM until: 11/25/23 2:41 PM
Certificate[3]:
Owner: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Issuer: CN=SCANIA-ROOT-CA-02, OU=Scania IT AB, OU=Scania CV AB (publ), O=Scania AB (publ), C=SE
Serial number: 6964eb0422c6709445ad5f989542d72a
Valid from: 11/24/15 6:38 PM until: 11/24/31 6:48 PM
The file /opt/logstash-2.3.1/ScaniaRootCA02.cer
referenced in the Logstash configuration contains the certificate for SCANIA-ROOT-CA-02
.
The error that I'm getting from Logstash is PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
.
Thanks for any ideas.
Dan
Update: sadly, I get the same error even after adding the option ssl_certificate_verification => false
, so no temporary workaround for me.