![]() As explained in the guide, it's good practice to create intermediate signing CAs. For example see this guide (I haven't tested this myself, though). Next let's add a CA (certificate authority) and a server certificate only. Ssl_key => "/etc/pki/tls/private/logstash.key"Ĭertificate: "/etc/pki/tls/certs/filebeat.crt"Ĭertificate_key: "/etc/pki/client/filebeat.key"Īs you can see, it becomes very cumbersome to add many more certificates for additional filebeat instances. Ssl_certificate => "/etc/pki/tls/certs/logstash.crt" Given we name the files filebeat.crt and filebeat.key your config will look like: In case you just need client authentication you can create a self-signed client certificate just as you did for logstash. You have had a CA + client authentication. If all you want is encryption, you can stop here, but this is far from the initial solution. ![]() I created this ticket to implement some logs: But I think it's a great idea to print some connection information if TLS is used. Right, there is no log message if encryption is used. The key file is required to parse the private part of a certificate. Can anyone who met this kind of issue before, or who have successfully setup filebeat TLS, give me some tips? Thank you so much.Īs config according to gencerts.sh is using a self-signed certificate only with client only validating server this config is enough: tls: I searched a lot, but didn't find an applicable solution for me. filebeat version is 1.2.3, and logstash is 2.3.4 Ssl_certificate => "/usr/ssl/server/server.crt"īy the way, my filebeat and logstash are installed in the same virtual machine. Then I configured filebeat tls section like below:Ĭertificate_authorities: Ĭertificate: "/usr/ssl/client/client.crt"Ĭertificate_key: "/usr/ssl/client/client.key" Openssl x509 -req -in client/client.csr -out client/client.crt -signkey client/client.key -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -days 365 Here, skipped the steps to generate client.csr and client.key file Openssl x509 -req -in server/server.csr -out server/server.crt -signkey server/server.key -CA ca/ca.crt -CAkey ca/ca.key -CAcreateserial -days 365 Here, skipped the steps to generate server.csr and server.key file Openssl x509 -req -in ca/ca.csr -out ca/ca.crt -signkey ca/ca.key -days 365 Openssl req -new -out ca/ca.csr -key ca/ca.key -config openssl.cnf I generated a self-signed certificate, named ca.crt.Can anyone give me some tips on how to resolve this issue? I have spent two days in configuring filebeat TLS, and always encountered below error.
0 Comments
Leave a Reply. |