SSL [SOLVED]: Filebeat cannot connect to Logstash because certificate does not contain any IP SANs

SSL [SOLVED]: Filebeat cannot connect to Logstash because certificate does not contain any IP SANs

Home Forums SSL SSL [SOLVED]: Filebeat cannot connect to Logstash because certificate does not contain any IP SANs

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #36756

    Anonymous

    QuestionQuestion

    I have generated SSL certificates for Filebeat (v6.1.0, ELK 5.6.4) and deployed them to the client and configured Filebeat to use the ssl.certificate_authorities in filebeat.yml. However, filebeat cannot validate the SSL certificate even though I have specified the subjectAlternateName in [ v3_ca ] in the SSL configuration.

    Generate the key:

    $ sudo openssl req -config cert.cnf -x509 -batch -nodes -newkey rsa -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
    

    cert.cnf

    [ req ]
    prompt = no
    distinguished_name = req_distinguished_name
    
    [ req_distinguished_name ]
    countryName = BL
    stateOrProvinceName = blah
    localityName = blah
    commonName = xxx.xxx.xxx.xxx
    
    [ v3_ca ]
    subjectAltName = IP:xxx.xxx.xxx.xxx
    

    Why am I still getting the following error?

    ERR  Failed to connect: x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs
    

    #36757

    Anonymous

    Accepted AnswerAnswer

    If you have added the subjectAltName with the correct IP address and you are still seeing this error, verify that the certificate is actually picking up this property from the config file.

    Verify the key:

    $ openssl x509 -in certs/logstash-forwarder.crt -text -noout
    

    Look for a section

    X509v3 Subject Alternative Name:
                IP Address:xxx.xxx.xxx.xxx
    

    If that section is missing, then for some reason the subjectAlternateName is not being generated for your key. In this instance, although all documents say to place the subjectAlternateName under the [ v3_ca ] section, this section won’t be read unless specified (if you are using the default /etc/ssl/openssl.cnf this might not be a problem). For a CA: in the certs.cnf make sure the [ req ] section points the x509_extensions to v3_ca. For a CSR: in the certs.cnf make sure the [ req ] section points the req_extensions to v3_ca.

    cert.cnf

    [ req ]
    prompt = no
    distinguished_name = req_distinguished_name
    req_extensions = v3_ca  # <----------- This one, if generating a CSR
    x509_extensions = v3_ca  # <---------- This one, if generating a CA
    
    [ req_distinguished_name ]
    countryName = BL
    stateOrProvinceName = blah
    localityName = blah
    commonName = xxx.xxx.xxx.xxx
    
    [ v3_ca ]
    subjectAltName = IP:xxx.xxx.xxx.xxx
    

    Regenerate the key, verify, you should see the following section in the output:

    X509v3 extensions:
        X509v3 Subject Alternative Name:
            IP Address:xxx.xxx.xxx.xxx
    

    Deploy and enjoy.

    Source: https://stackoverflow.com/questions/47857914/filebeat-cannot-connect-to-logstash-because-certificate-does-not-contain-any-ip
    Author: TechMedicNYC
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.