1. 首頁
  2. 問答
  3. 使用SSL工作無法獲得nxlog logstash

使用SSL工作無法獲得nxlog logstash

2015-09-04 28 views
0

我已經從DigiCert購買了證書。所以我得到了這些文件; DigiCertCA.crt,mydomain_com.crt mydomain_com.key使用SSL工作無法獲得nxlog logstash

我將logstash配置更改爲此;

tcp { 
    type => "AppLog" 
    port => 5656 
    host => "mydomain.com" 
    ssl_cacert => "C:/Certificates/DigiCertCA.crt" 
    ssl_cert => "C:/Certificates/mydomain_com.crt" 
    ssl_key => "C:/Certificates/mydomain_com.key" 
    ssl_enable => true 
    ssl_verify => true 
}

然後改變了我的nxlog配置到這一點(不同的機器上運行):

<Output App_Out> 
    Module  om_ssl 
    Host  mydomain.com 
    Port  5656 
    CAFile  C:\NxLogCerts\DigiCertCA.crt 
    CertFile C:\NxLogCerts\mydomain_com.crt 
    OutputType LineBased 
</Output>

而且我嘗試了許多不同的參數,去掉了一些,增加了一些像AllowUntrusted等在兩側。沒有運氣。

經過openssl測試;

$ openssl s_client -CAfile DigiCertCA.pem -connect mydomain.com:5960 
CONNECTED(00000003) 
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA 
verify return:1 
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA 
verify return:1 
depth=0 C = CountryCode, ST = State, L = City, O = CompanyName AS, CN = mydomain.com 
verify return:1 
--- 
Certificate chain 
0 s:/C=CountryCode/ST=State/L=City/O=CompanyName/CN=mydomain.com 
    i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA 
--- 
Server certificate 
-----BEGIN CERTIFICATE----- 
CERTIFICATE 
-----END CERTIFICATE----- 
subject=/C=CountryCode/ST=State/L=City/O=XompanyName/CN=mydomain.com 
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA 
--- 
No client certificate CA names sent 
Client Certificate Types: RSA sign, DSA sign, ECDSA sign 
Server Temp Key: ECDH, P-256, 256 bits 
--- 
SSL handshake has read 1801 bytes and written 462 bytes 
--- 
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA 
Server public key is 2048 bit 
Secure Renegotiation IS supported 
Compression: NONE 
Expansion: NONE 
No ALPN negotiated 
SSL-Session: 
    Protocol : TLSv1 
    Cipher : ECDHE-RSA-AES128-SHA 
    Session-ID: -----------Removed 
    Session-ID-ctx: 
    Master-Key: -----------Removed 
    Key-Arg : None 
    PSK identity: None 
    PSK identity hint: None 
    SRP username: None 
    Start Time: 1441375513 
    Timeout : 300 (sec) 
    Verify return code: 0 (ok) 
---

這似乎不錯..?

任何指針來找出什麼是acutal問題?我做錯了嗎?編輯: 當然我忘了錯誤信息; 在nxlog客戶端發送到logstash

2015-09-04 16:17:21 INFO nxlog-ce-2.9.1347 started 
2015-09-04 16:17:21 INFO connecting to mydomain.com:5960 
2015-09-04 16:17:21 INFO successfully connected to mydomain.com:5960 
2015-09-04 16:17:21 INFO reconnecting in 1 seconds 
2015-09-04 16:17:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2) 
2015-09-04 16:17:22 INFO connecting to mydomain.com:5960 
2015-09-04 16:17:22 INFO successfully connected to mydomain.com:5960 
2015-09-04 16:17:22 INFO reconnecting in 1 seconds 
2015-09-04 16:17:22 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)

而且logstash服務器

{:timestamp=>"2015-09-04T16:25:52.976000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error} 
{:timestamp=>"2015-09-04T16:25:53.992000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}

來源

2015-09-04 hayer

回答

0
  • 上我真的不能告訴你,因爲還沒有發佈任何錯誤信息什麼是錯的。
  • 爲此購買證書是浪費金錢。您應該創建自己的CA證書(例如openssl),然後爲每個實體生成證書+密鑰對。網上有很多howtos。
  • om_ssl通常需要CertKeyFile連同CertFile
  • openssl s_client測試你跑了沒有驗證(有一個- 驗證開關爲此),另一方面證書驗證在兩端打開。
  • 嘗試用AllowUntrusted TRUE看看是否有幫助。

來源

2015-09-05 08:39:12 b0ti

+0

我「繼承了」這一點,所以購買證書不是我的要求。感謝關於s_client的驗證技巧。我已經嘗試過使用AllowUntrusted。 – hayer

0

我和awesant和logstash有類似的問題,我也在使用DigiCert certeficates。在我的情況下,問題是其中一個端點沒有完整的證書鏈。

我創建了一個文件'x',並在其中放入了DigiCertCA.crt和TrustedRoot.crt內容,並將該文件用作CA證書,似乎一切正常。

來源

2015-09-08 15:37:57

+0

Okey,那麼如何生成TrustedRoot.crt?它是DigiCertCA和mydomain.crt的組合嗎?對不起,但我並不擅長這種證書。 – hayer

+0

@hayer你可以不生成TrustedRoot.crt。有兩種可能性,digicert可以發送文件DigiCertCA.crt中的所有證書鏈,或者他們在創建證書時向您發送TrustedRoot.crt文件。 運行以下命令:** openssl verify -CAfile DigiCertCA.crt my_certeficate.crt ** 如果所有鏈都在那裏,您將收到一條ok消息,並且您的問題與我的不同,否則您將不得不查找文件TrustedRoot.crt(也許DigiCert將其與其他證書一起發送給您) –

相關問題

 相關問題