3

I'm trying to connect to logstash with logstash-forwarder. Their communication base on ssl so I generate a self-signed certificate follows this. Then I got this error message on logstash-forwarder side:

Failed to tls handshake with 9.21.61.19 x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "*.*.*.*.*")

If I generate the certificate without subject alt name, it will work. The worked certificate can be generated by:

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=*.*.*.*.*

But what I'm hoping to do is to generate a certificate which can be used in different kinds of host. To do that I want to generate a ssl certificate whose CN=*.*.*.*.*, then alt names include *, *.*, *.*.* etc.

Is there any suggestion on how can I overcome this ssl error? Or a better way to make logstash-forwarder can work in a variety of environments?

Community
  • 1
  • 1
Tyler
  • 43
  • 1
  • 7
  • Names can only contain a single wildcard and only left-most. That is no `foo.*.example.com` and no `*.*.example.com` but only `*.example.com`. – Steffen Ullrich Aug 25 '15 at 06:25
  • Really? when I use CN=*.*.*.*.* , it do work in my environment. – Tyler Aug 25 '15 at 06:38
  • It might be that logstash does not properly verify certificates then, but according to RFC 6125 such broad wild cards should not be accepted. No browser will accept this either. – Steffen Ullrich Aug 25 '15 at 06:40
  • So you are saying my requirement is impossible to achieve? Do we have another way to work around this? I mean, to generate a certificate works on hosts with all kind of hostname? I know this is not ssl designed to works. But to make logstash-forwarder and logstash works in my production environment I do need this... – Tyler Aug 25 '15 at 06:47
  • I have no idea of the specifics of your environment. Apart from that this sounds more like professional server management so please ask at [serverfault.se](http://serverfault.com). – Steffen Ullrich Aug 25 '15 at 08:58
  • OK. Thanks a lot for your patience and knowledge sharing :) – Tyler Aug 25 '15 at 10:37

2 Answers2

1

Turns out, when I removed the

keyUsage = digitalSignature, keyEncipherment

in [ v3_ca ], which is asked in the guide, the generated certificate do works for a variety of host names.

This may not be a right scenario for SSL. But for the logstash/logstash-forwarder case, it do helps.

Community
  • 1
  • 1
Tyler
  • 43
  • 1
  • 7
1

Have you mentioned the pem file in "ssl ca" the logstash-forwarder.conf ? You have to mention the pem file which is used to sign the certificate in conf.

Avik Das
  • 121
  • 2
  • 11
  • Sorry for late reply. Yes,I updated the "ssl ca" in logstash-forwarder.conf. It resolved the issue. Thanks – Avik Das Jan 04 '16 at 22:09