X509: cannot validate certificate for 192.168.129.33 because it doesn't contain any IP SANs


(Igor Marques) #1

i'm try to start setup ssl btw filebeat and logstash. generate cert.pem and key.pem with:

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout logstashK.pem -out logstashC.pem && openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout filebeat03K.pem -out filebeat03C.pem

copy logstash keys to /etc/logstash and filbeat to /etc/filebeat

edit pipeline.conf:

 beats {
         port => 63301
         ssl => true
         ssl_certificate_authorities => [ "/etc/logstash/ca.crt" ]
         ssl_certificate => "/etc/logstash/logstashC.pem"
         ssl_key => "/etc/logstash/logstashK.pem"
         ssl_verify_mode => "none"<

and filebeat.yml

 output.logstash:
   hosts: ["192.168.129.33:63301"]
   ssl.certificate_authorities: ["/etc/filebeat/ca.crt"]
   ssl.certificate: "/etc/filebeat/filebeat03C.pem"
   ssl.key: "/etc/filebeat/filebeat03K.pem"
   verification_mode: none

then i run:

[reversal@rv03prd keys]$ curl -v --cacert ca.crt https://192.168.129.33:63001
* Rebuilt URL to: https://192.168.129.33:63001/
*   Trying 192.168.129.33...
* TCP_NODELAY set
* Connected to 192.168.129.33 (192.168.129.33) port 63001 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: ca.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

restart filebeat and logstash: tail -f both logs and then i have in filbeat log:

x509: cannot validate certificate for 192.168.129.33 because it doesn't contain any IP SANs

i found this https://serverfault.com/questions/611120/failed-tls-handshake-does-not-contain-any-ip-sans

SSL needs identification of the peer, otherwise your connection might be against a man-in-the-middle which decrypts + sniffs/modifies the data and then forwards them encrypted again to the real target. Identification is done with x509 certificates which need to be validated against a trusted CA and which need to identify the target you want to connect to.

Usually the target is given as a hostname and this is checked against the subject and subject alternative names of the certificate. In this case your target is a IP. The validate the certifcate successfully the IP must be given n the certificate inside the subject alternative names section, but not as an DNS entry (e.g. hostname) but instead as IP.

So what you need to is:

    Edit your /etc/ssl/openssl.cnf on the logstash host - add subjectAltName = IP:192.168.2.107 in [v3_ca] section.

    Recreate the certificate

    Copy the cert and key to both hosts

i followed those steps but still receive the same error after restart filebeat:

x509: cannot validate certificate for 192.168.129.33 because it doesn't contain any IP SANs

and curl -v --cacert ca.crt https://192.168.129.33:63001 have the same error.

how can i fix it? i appreciate any help.

thanks


(Andrew Kroh) #2

Please read through the Securing Communication With Logstash by Using SSL documentation and see the troubleshooting documentation that it links to.

It sounds like the server certificate used by Logstash still does not include the server's IP address as a SAN. I recommend opening the certificate with openssl and verifying its contents.

$ openssl x509 -text -noout -in /etc/logstash/logstashC.pem
            ...
            X509v3 Subject Alternative Name: 
                IP Address:192.168.55.88

Alternatively you could use the FQDN that is in the server's certificate in your Filebeat config for the output.logstash.hosts value (provided that the FQDN is resolvable).


(Igor Marques) #3

your are correct. and some steps more to generate keys and crt properly. thanks. working now.


(system) #4

This topic was automatically closed after 21 days. New replies are no longer allowed.