Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
[ELK Stack] Generate TLS certs for filebeat and logstash
1. Generate new domain name for logstash server.
For this tutorial
domain name = logstash-prod.xyz.com
ip = 1.2.3.4
* Enter to following directory
```
$ sudo mkdir /etc/pki
$ cd /etc/pki
```
* Generate CA and self-sign it.
```
$ mkdir -p certs/{devices,client,ca,tmp}
$ openssl genrsa -out certs/ca/root-ca.key.pem 2048
$ openssl req -x509 -new -nodes -key certs/ca/root-ca.key.pem -days 9131 -out certs/ca/root-ca.crt.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Signing Authority Inc/CN=logstash-prod.xyz.com"
```
* Generate logstash certs
```
$ openssl genrsa -out certs/devices/logstash.key.pem 2048
$ openssl req -new -key certs/devices/logstash.key.pem -out certs/tmp/logstash.csr.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Service/CN=logstash-prod.xyz.com"
$ openssl x509 -req -in certs/tmp/logstash.csr.pem -CA certs/ca/root-ca.crt.pem -CAkey certs/ca/root-ca.key.pem -CAcreateserial -out certs/devices/logstash.crt.pem -days 9131
```
* Generate filebeat certs
```
$ openssl genrsa -out certs/devices/filebeat.key.pem 2048
$ openssl req -new -key certs/devices/filebeat.key.pem -out certs/tmp/filebeat.csr.pem -subj "/C=US/ST=Utah/L=Provo/O=ACME Service/CN=logstash-prod.xyz.com"
$ openssl x509 -req -in certs/tmp/filebeat.csr.pem -CA certs/ca/root-ca.crt.pem -CAkey certs/ca/root-ca.key.pem -CAcreateserial -out certs/devices/filebeat.crt.pem -days 9131
```
* convert private key to PKCS8 format
```
$ openssl pkcs8 -topk8 -inform pem -in certs/devices/logstash.key.pem -outform pem -nocrypt -out certs/devices/logstash-pkcs8.pem
$ openssl pkcs8 -topk8 -inform pem -in certs/devices/filebeat.key.pem -outform pem -nocrypt -out certs/devices/filebeat-pkcs8.pem
```
* Give `777` file permission to all these certs
* Restart logstash if you did it after starting logstash
`$ cd /etc/deploy/docker-compose && sudo docker-compose down`
* verify it
```
$ curl -v --key certs/devices/filebeat-pkcs8.pem --cert certs/devices/filebeat.crt.pem --cacert certs/ca/root-ca.crt.pem https://logstash-prod.xyz.com:5044
```
@mukuldeepfence
Copy link

mukuldeepfence commented Apr 20, 2021

i have followed the steps for generating the Certs

My logstash versiion is 7.10.2
filebeat version is 7.10.2

filebeat.yml

output.logstash:
hosts: ["deepfence-logstash:8005"]
proxy_url: socks5://${DEEPFENCE_KEY}:@${DF_BACKEND_IP}:8005
proxy_use_local_resolver: false
ssl.enabled: true
ssl.certificate_authorities: ["/etc/filebeat/root-ca.crt.pem"]
ssl.certificate: "/etc/filebeat/filebeat.crt.pem"
ssl.key: "/etc/filebeat/filebeat-pkcs8.pem"

input {
beats {
port => "${TCP_PORT}"
codec => json
ssl => true # enable TLS/SSL
ssl_certificate_authorities => ["/etc/logstash/root-ca.crt.pem"]
ssl_certificate => "/etc/logstash/logstash.crt.pem"
ssl_key => "/etc/logstash/logstash-pkcs8.pem"
ssl_verify_mode => "force_peer"
client_inactivity_timeout => 600
}
}

and i am getting this error -
[DEBUG] 2021-04-20 16:16:44.748 [defaultEventExecutorGroup-4-2] BeatsHandler - [local: 0.0.0.0:8005, remote: 192.168.128.15:58986] Handling exception: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty server certificate chain (caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain)
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty server certificate chain

@mukuldeepfence
Copy link

mukuldeepfence commented Apr 21, 2021

My problem has been solved i created the wrong certs by adding the port in the domain name.
when i removed the port name from the domain name then all worked as of now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment