0

I have generated SSL certificates for Filebeat (v6.1.0, ELK 5.6.4) and deployed them to the client and configured Filebeat to use the ssl.certificate_authorities in filebeat.yml. However, filebeat cannot validate the SSL certificate even though I have specified the subjectAlternateName in [ v3_ca ] in the SSL configuration.

Generate the key:

$ sudo openssl req -config cert.cnf -x509 -batch -nodes -newkey rsa -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt

cert.cnf

[ req ]
prompt = no
distinguished_name = req_distinguished_name

[ req_distinguished_name ]
countryName = BL
stateOrProvinceName = blah
localityName = blah
commonName = xxx.xxx.xxx.xxx

[ v3_ca ]
subjectAltName = IP:xxx.xxx.xxx.xxx

Why am I still getting the following error?

ERR  Failed to connect: x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs
James
  • 2,488
  • 2
  • 28
  • 45
  • 1
    Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Dec 17 '17 at 18:10
  • 1
    You should better specify type of entry and value, i.e. not just the IP address but `subjectAltName = IP:xxx.xxx.xxx.xxx`. – Steffen Ullrich Dec 17 '17 at 21:06
  • @jww Extremely helpful links. Thank you! – James Dec 25 '17 at 18:23

1 Answers1

0

If you have added the subjectAltName with the correct IP address and you are still seeing this error, verify that the certificate is actually picking up this property from the config file.

Verify the key:

$ openssl x509 -in certs/logstash-forwarder.crt -text -noout

Look for a section 

X509v3 Subject Alternative Name:
            IP Address:xxx.xxx.xxx.xxx

If that section is missing, then for some reason the subjectAlternateName is not being generated for your key. In this instance, although all documents say to place the subjectAlternateName under the [ v3_ca ] section, this section won't be read unless specified (if you are using the default /etc/ssl/openssl.cnf this might not be a problem). For a CA: in the certs.cnf make sure the [ req ] section points the x509_extensions to v3_ca. For a CSR: in the certs.cnf make sure the [ req ] section points the req_extensions to v3_ca.

cert.cnf

[ req ]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_ca  # <----------- This one, if generating a CSR
x509_extensions = v3_ca  # <---------- This one, if generating a CA

[ req_distinguished_name ]
countryName = BL
stateOrProvinceName = blah
localityName = blah
commonName = xxx.xxx.xxx.xxx

[ v3_ca ]
subjectAltName = IP:xxx.xxx.xxx.xxx

Regenerate the key, verify, you should see the following section in the output:

X509v3 extensions:
    X509v3 Subject Alternative Name:
        IP Address:xxx.xxx.xxx.xxx

Deploy and enjoy.

James
  • 2,488
  • 2
  • 28
  • 45