1

I'm trying to convert a JKS cert to PKCS8 for Logstash v5.1. I found an example here: https://stackoverflow.com/a/656559

keytool -importkeystore -srckeystore foo.jks -destkeystore foo.p12 / 
  -srcstoretype jks   -deststoretype pkcs12
openssl pkcs12 -in foo.p12 -out foo.pem
openssl pkcs12 -in foo.p12 -nocerts -out key.pem
openssl pkcs8 -in key.pem -topk8 -out p8key.pem

But it produces the following error when attempting to run logstash:

ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}

I also tried to convert to pkcs8 with the -nocrypt flag, and receive this error:

ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record
Community
  • 1
  • 1
AkodoIeyasu
  • 31
  • 1
  • 4

1 Answers1

2

The cause of this error:

ERROR logstash.inputs.beats - Looks like you either have an invalid key or your private key was not in PKCS8 format.
{:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /ELK/logstash/SSL/p8key.pem}

is because ssl_key_passphrase => "password" was not set in the logstash input.

And this error:

ERROR org.logstash.beats.BeatsHandler - Exception: not an SSL/TLS record

is because non-SSL/TLS traffic was attempting to go through the SSL/TLS port. In this case, the culprit was filebeat.

https://www.elastic.co/guide/en/x-pack/current/security-troubleshooting.html

AkodoIeyasu
  • 31
  • 1
  • 4
  • @Akodoleyasu Were you able to rectify this error: `[INFO ][org.logstash.beats.BeatsHandler] Exception: not an SSL/TLS record` `[INFO ][org.logstash.beats.BeatsHandler] Exception: Connection reset by peer` Here's my metribeat.yml file in the next comment. Thanks for the help! – Suraj Nov 30 '17 at 12:56
  • #----------------------------- Logstash output -------------------------------- output.logstash: # The Logstash hosts hosts: ["elkstack.mydomain.com:5044"] ssl.enabled: true # Optional SSL. By default is off. # List of root certificates for HTTPS server verifications ssl.certificate_authorities: ["/etc/pki/ca/ca.crt"] # Certificate for SSL client authentication ssl.certificate: "/etc/pki/elkstack.mydomain.com/elkstack.mydomain.com.crt" # Client Certificate Key ssl.key: "/etc/pki/elkstack.mydomain.com/elkstack.mydomain.com.key" – Suraj Nov 30 '17 at 12:59
  • Thanks for all the help in advance! – Suraj Nov 30 '17 at 13:02
  • I created a certificate using `certgen` with a passphrase set. But that creates a passphrase for the CA cert. Anyhow that did not work. Can you please help me with this error? – Suraj Nov 30 '17 at 13:04