Winlogbeat ignores CA certificates in windows certificate store?


(Jean-Pierre) #1

My first concern is winlogbeat doesn't notify of any TLS or Certificate Errors, even when I set the log level to 'info'. This is poor form!

2016-04-22T22:34:11+02:00 INFO winlogbeat sucessfully setup. Start running.
2016-04-22T22:34:11+02:00 INFO Error publishing events (retrying): EOF
2016-04-22T22:34:11+02:00 INFO send fail
2016-04-22T22:34:11+02:00 INFO backoff retry: 1s
2016-04-22T22:34:12+02:00 INFO Error publishing events (retrying): EOF
2016-04-22T22:34:12+02:00 INFO send fail

System:

  • Windows 2012 R2 with winlogbeats with Winlogbeat 1.2.1
  • Logstash 2.3 on a RedHat Linux server
    (all fresh 'current' downloads from today!)

I set some things up as per https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-tls-logstash.html.

According to it "If certificate_authorities is empty or not set, the trusted certificate authorities of the host system are used."

I'm quite certain my certs are correctly installed in both the Windows Certificate Store.

  • Most windows things can use sites signed by the CA in the browser.
  • Ran a test script via powershell to connect to the logstash input port with TLS, and it worked.

The only configuration change I had to make to fix it was to change the winlogbeat.yml file and explicitly set the CA.

In summary, I suspect that winlogbeat doesn't correctly use the "Trusted Root Certification Authorities" plus "Intermediate Certification Authorities".

To test/re-produce use at least a 2-tier CA setup.

  • Setup Root + Intermediary CA
  • Intermediary CA signs cert for logstash beats input
  • On windows system (with winlogbeat), trust Root plus Intermediary (in the local computer certficate store)
  • Install Root -> "Trusted Root Certification Authorities"
  • Install Intermediary CA -> "Intermediate Certification Authorities"
  • Also export Root and Intermediary CA cert into PEM format file for explicit config
  • Test two yaml configs, one pointing to the .pem file with the CA, the other just specify tls:, but leave empty (implicit)

Note, for the moment, just doing TLS Sever Auth and leaving client authentication on the logstash input out of the mix. Example config:

winlogbeat side

output:
    logstash:
        hosts:
            - plogprocs1v.standardbank.co.za:5045
        tls:
            certificate_authorities:
                - C:/Program Files/Winlogbeat/<org internal ca trust chain>.pem

logstash side

input {
    # server auth only
    beats {
        port => 5045
        ssl => true
        ssl_certificate => "/etc/pki/tls/certs/<fqdn>.rsa.crt"
        ssl_key => "/etc/pki/tls/private/<fqdn>.rsa.key"
    }
}

(Andrew Kroh) #2

You're right, I didn't see any errors when I tested this with 1.2.1. I also tried it with v5 and I did see the SSL issues being logged.

2016/04/26 00:20:05.303393 single.go:127: INFO Connecting error publishing events (retrying): x509: certificate signed by unknown authority

I didn't test yet with a 2-tier CA. But I tested with a single tier CA and it worked as expected. So it does seem that Winlogbeat (or Go's TLS implementation) is checking the cert against the OS trust store. I suspect that the issue is caused by Logstash not providing the intermediate CA cert in the handshake to Winlogbeat which then stops Go from attempting to validate the chain.

If I point Winlogbeat (using v5 so I get logging) at a another TLS endpoint (not Logstash) that provides the full CA chain (a 2-tier CA) in the handshake, Winlogbeat connects fine.

Try running a command like this against your Logstash endpoint. Only the server cert and not the full chain should be shown.

openssl s_client -connect plogprocs1v.standardbank.co.za:5045 -showcerts -tls1

So I think we are blocked by https://github.com/logstash-plugins/logstash-input-beats/issues/64 and ultimately https://github.com/jruby/jruby-openssl/issues/84.


(system) #3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.