Logstash-forwarder says certificate signed by unknown authority when using a self-signed certificate with SubjectAltName

3
votes

I'm trying to connect to logstash with logstash-forwarder. Their communication base on ssl so I generate a self-signed certificate follows this. Then I got this error message on logstash-forwarder side:

Failed to tls handshake with 9.21.61.19 x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "*.*.*.*.*")

If I generate the certificate without subject alt name, it will work. The worked certificate can be generated by:

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=*.*.*.*.*

But what I'm hoping to do is to generate a certificate which can be used in different kinds of host. To do that I want to generate a ssl certificate whose CN=*.*.*.*.*, then alt names include *, *.*, *.*.* etc.

Is there any suggestion on how can I overcome this ssl error? Or a better way to make logstash-forwarder can work in a variety of environments?

2
ssllogstash-forwarder
Names can only contain a single wildcard and only left-most. That is no foo.*.example.com and no *.*.example.com but only *.example.com. - Steffen Ullrich
Really? when I use CN=*.*.*.*.* , it do work in my environment. - Tyler
It might be that logstash does not properly verify certificates then, but according to RFC 6125 such broad wild cards should not be accepted. No browser will accept this either. - Steffen Ullrich
So you are saying my requirement is impossible to achieve? Do we have another way to work around this? I mean, to generate a certificate works on hosts with all kind of hostname? I know this is not ssl designed to works. But to make logstash-forwarder and logstash works in my production environment I do need this... - Tyler
I have no idea of the specifics of your environment. Apart from that this sounds more like professional server management so please ask at serverfault.se. - Steffen Ullrich

2 Answers

1
votes

Turns out, when I removed the

keyUsage = digitalSignature, keyEncipherment

in [ v3_ca ], which is asked in the guide, the generated certificate do works for a variety of host names.

This may not be a right scenario for SSL. But for the logstash/logstash-forwarder case, it do helps.

1
votes

Have you mentioned the pem file in "ssl ca" the logstash-forwarder.conf ? You have to mention the pem file which is used to sign the certificate in conf.