i'm try to start setup ssl btw filebeat and logstash. generate cert.pem and key.pem with:
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout logstashK.pem -out logstashC.pem && openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout filebeat03K.pem -out filebeat03C.pem
copy logstash keys to /etc/logstash and filbeat to /etc/filebeat
edit pipeline.conf:
beats {
port => 63301
ssl => true
ssl_certificate_authorities => [ "/etc/logstash/ca.crt" ]
ssl_certificate => "/etc/logstash/logstashC.pem"
ssl_key => "/etc/logstash/logstashK.pem"
ssl_verify_mode => "none"<
and filebeat.yml
output.logstash:
hosts: ["192.168.129.33:63301"]
ssl.certificate_authorities: ["/etc/filebeat/ca.crt"]
ssl.certificate: "/etc/filebeat/filebeat03C.pem"
ssl.key: "/etc/filebeat/filebeat03K.pem"
verification_mode: none
then i run:
[reversal@rv03prd keys]$ curl -v --cacert ca.crt https://192.168.129.33:63001
* Rebuilt URL to: https://192.168.129.33:63001/
* Trying 192.168.129.33...
* TCP_NODELAY set
* Connected to 192.168.129.33 (192.168.129.33) port 63001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ca.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
restart filebeat and logstash: tail -f
both logs and then i have in filbeat log:
x509: cannot validate certificate for 192.168.129.33 because it doesn't contain any IP SANs
i found this https://serverfault.com/questions/611120/failed-tls-handshake-does-not-contain-any-ip-sans
SSL needs identification of the peer, otherwise your connection might be against a man-in-the-middle which decrypts + sniffs/modifies the data and then forwards them encrypted again to the real target. Identification is done with x509 certificates which need to be validated against a trusted CA and which need to identify the target you want to connect to.
Usually the target is given as a hostname and this is checked against the subject and subject alternative names of the certificate. In this case your target is a IP. The validate the certifcate successfully the IP must be given n the certificate inside the subject alternative names section, but not as an DNS entry (e.g. hostname) but instead as IP.
So what you need to is:
Edit your /etc/ssl/openssl.cnf on the logstash host - add subjectAltName = IP:192.168.2.107 in [v3_ca] section.
Recreate the certificate
Copy the cert and key to both hosts
i followed those steps but still receive the same error after restart filebeat:
x509: cannot validate certificate for 192.168.129.33 because it doesn't contain any IP SANs
and curl -v --cacert ca.crt https://192.168.129.33:63001
have the same error.
how can i fix it? i appreciate any help.
thanks