Logstash-forwarder is throwing SSL errors

logstash

I got this task handed over to by my colleage and this is the background.

He got ELK (Elasticsearch, Logstash and Kibana) stack working with our RHEL 6.2 servers, by using the regular method of configuring the Logstash on the server and Logstash-forwarder on all the agents. Everything is working fine as expected, except for two logstash agent nodes. It is not indexing data from these two nodes and these two agent nodes are slightly different from the other agents in the environment. All the agents (that are working) are running RHEL 6.2 machine with 'OpenSSL 1.0.0-fips', while the two troublesome agents are running RHEL 5.5 with 'OpenSSL 0.9.8e-fips-rhel5'. Now, let me explain the issues that these two nodes were facing when I started working on this.

When we restart the logstash forwarder service with '/etc/init.d/logstash-forwarder restart', it throws the following error:

2014/10/01 09:21:23.898917 Failed to tls handshake with 10.x.x.x x509:
cannot validate certificate for 10.x.x.x because it doesn't contain
any IP SANs 2014/10/01 09:21:24.900502 Connecting to [10.x.x.x]:5000
(10.x.x.x) 2014/10/01 09:21:24.902081 Failed to tls handshake with
10.x.x.x x509: cannot validate certificate for 10.x.x.x because it doesn't contain any IP SANs 2014/10/01 09:21:25.903970 Connecting to
[10.x.x.x]:5000 (10.x.x.x) 2014/10/01 09:21:25.905708 Failed to tls
handshake with 10.x.x.x x509: cannot validate certificate for 10.x.x.x
because it doesn't contain any IP SANs

I understand that this is because the agent is trying to connect to the server through SSL using its IP address, so I recreated the certificates again with IP SANs and then it started throwing me following errors, not only with the 5.2 machines, but also with 6.2 machines:

2014/10/03 17:09:12.403253 Failed to tls handshake with 10.x.x.x x509:
certificate signed by unknown authority 2014/10/03 17:09:13.404974
Connecting to [10.x.x.x]:5000 (10.x.x.x) 2014/10/03 17:09:13.428156
Failed to tls handshake with 10.x.x.x x509: certificate signed by
unknown authority 2014/10/03 17:09:14.429648 Connecting to
[10.x.x.x]:5000 (10.x.x.x) 2014/10/03 17:09:14.442006 Failed to tls
handshake with 10.x.x.x x509: certificate signed by unknown authority

I tried to add the certificate to the ca-bundle.crt by appending the new logstash certificate to the CA file with:

'openssl x509 -in certs/logstash-forwarder.crt -text >> certs/ca-bundle.crt'.

I have a feeling that I will be able to fix the whole issue if I am able to make the 'IP SAN'd certificates add to the trusted certificates list of all the agent nodes. My questions are:

One more thing, the Logstash server is running RHEL 6.2. And all the agent nodes (working and non-working) have the same version of logstash-forwarder installed –
logstash-forwarder-0.3.1-1.x86_64.rpm.
What is the correct method to make these agent nodes accept the IP SANs certificates?
Am I understanding issue correctly?
Is it some incompatibility between the RHEL 6.x and RHEL 5.x machines?

I have the following entries in the /etc/logstash-forwarder

[root@name2 ~]# cat /etc/logstash-forwarder { "network": {
"servers": [ "10.x.x.x:5000" ],
"timeout": 15,
"ssl ca": "/etc/pki/tls/certs/logstash-forwarder.crt",
"ssl strict verify": "false" }, "files": [
{
"paths": [
"/var/log/maillog"
],
"fields": { "type": "syslog" }
} ] } [root@name2 ~]#

Thanks in advance.

Best Answer

The certificate you are using does not have any valid IP SAN's as mentioned in the message:

Failed to tls handshake with x.x.x.x x509: cannot validate certificate for x.x.x.x because 
it doesn't contain any IP SANs

If you connect using an IP address then your certificate must contain a matching IP SAN to pass validation with Go 1.3 and higher. This is not (yet?) mentioned in any README file or documentation but there are some issues ( #226 , #221 ) open at the project github repo.
To permit IP address as the server name, the SSL cert must include IP address as a subjectAltName field.

To solve that you can use following procedure for the creation of the SSL cert and key:

Create a file notsec.cfr (or any other name) containing output like:

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
C = TG
ST = Togo
L =  Lome
O = Private company
CN = *

[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = CA:TRUE
subjectAltName = @alt_names

[alt_names]
DNS.1 = *
DNS.2 = *.*
DNS.3 = *.*.*
DNS.4 = *.*.*.*
DNS.5 = *.*.*.*.*
DNS.6 = *.*.*.*.*.*
DNS.7 = *.*.*.*.*.*.*
IP.1 = 192.168.1.1
IP.2 = 192.168.69.14

If you connect via host names, you can remove the IP SAN's, otherwise add your logstash server IP address.

Create the certificate and key with following command (using the file from point 1):

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout notsecure.key -out notsecure.crt -config notsec.cnf -days 1825

This will create a kind of wildcard certificate accepting any hostname and the IP addresses mentioned it that file. Of course this is just a simple example and you wil need to adjust the settings to your needs.

Related Solutions

Centos – Logstash Forwarder doesn’t start up with chkconfig in CentOS 5

I ended up posting about the issue on the github page for the project, and I got quite a speedy response pointing me to another issue which came along with another init script, which I have now implemented. This seems to work correctly.

Thanks to TrevorH in the CentOS IRC channel for the assitance, as well as driskell on github for getting me to the new init script, I'll copy it below for reference in case anyone has the same problem I have with that script above:

#!/bin/bash
# chkconfig: 345 80 20
# description: Logstash Forwarder
# processname: logstash-forwarder
# config: /etc/logstash-forwarder
# pidfile: /var/run/logstash-forwarder.pid

### BEGIN INIT INFO
# Provides: logstash-forwarder
# Required-Start: $local_fs $network $remote_fs
# Required-Stop: $local_fs $network $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: start and stop logstash-forwarder
# Description: Logstash Forwarder
### END INIT INFO

# Source function library.
. /etc/rc.d/init.d/functions

PATH=/sbin:/usr/sbin:/bin:/usr/bin

prog=logstash-forwarder
DAEMON=/opt/logstash-forwarder/bin/logstash-forwarder
pidfile=/var/run/$prog.pid
lockfile=/var/lock/subsys/$prog

# load defaults

[ -e /etc/default/$prog ] && . /etc/default/$prog
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog

DAEMON_ARGS="${DAEMON_ARGS:--config /etc/logstash-forwarder -spool-size 100 -log-to-syslog}"

start()
{
    echo -n $"Starting $prog: "
    nohup $DAEMON $DAEMON_ARGS </dev/null >/dev/null 2>&1 &
    retval=$?
    pid=$!
    echo $pid > $pidfile
    if [ rh_status_q ]; then
        touch $lockfile
        success
        echo
    fi
    return $retval
}

stop()
{
    echo -n $"Stopping $prog: "
    killproc -p "$pidfile" $prog
    retval=$?
    [ -f "$pidfile" ] && rm -f $pidfile
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    stop
    start
}

reload() {
    restart
}

force_reload() {
    restart
}

rh_status() {
    status -p $pidfile $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}

case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
        restart
        ;;
    status)
        rh_status
        ;;
    *)
        echo "Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
        exit 2
esac
exit $?

This has been modified slightly as the original script had .conf in the DAEMON_ARGS statement which wasn't needed on CentOS 5 or 6

EDIT

There were some issues with the init script, but the commiter has updated it today, for my instance I also needed either of the following files:

/etc/defaults/logstash-forwarder
/etc/sysconfig/logstash-forwarder

Content:

DAEMON_ARGS="${DAEMON_ARGS:--config /etc/logstash-forwarder/logstash-forwarder.conf -spool-size 100}"

Get logstash version

Logstash is one of those things that just doesn't quite live where you expect it to live, and the documentation is reallllly light (read: non-existent) on where they expect you to find things, so if you've installed it from a package then it can be nigh impossible to find the expected location documented. ¹

Logstash typically lives in /opt/logstash and you can find the logstash binary in the bin folder (/opt/logstash/bin).

From there you can run -V or --version

./logstash -v

./logstash --version

From your comments on another answer, it would appear that this is in a docker container. This is the sort of thing you should really be including in your original question.

You will want to make use of docker exec. You will need to use docker ps to list your containers, and pass that through to your docker exec command.

For example:

docker exec -d elk_container /opt/logstash/bin/logstash --version

_{¹I don't want this to be misconstrued. Logstash documentation is excellent - it's just the parts about where all the different bits are expected to live that's impossible to find}

Best Answer

Related Solutions

Centos – Logstash Forwarder doesn’t start up with chkconfig in CentOS 5

Get logstash version

Related Topic