Logstash to Opensearch with Certs auth

Hello, logstash to opensearch, am I in right category?
Is this offical project GitHub - opensearch-project/logstash-output-opensearch: A Logstash plugin that sends event data to a OpenSearch clusters and stores as an index.
for logstash that can be downloaded here? Opensearch 2.4.1 · OpenSearch

I need to set up 2FA for logstash to opensearch or logstash cert authentication to opensearch. Can someone help me?

Hi @vnovotny98,

What logstash configurations have you tried so far?

Hi @ddpowers,
I have conf file like:

input {
  tcp {
    mode => "server"
    host => "****"
    port => "****"
    ssl_enable => "true"
    ssl_cert => "/usr/share/logstash/config/server.crt"
    ssl_key => "/usr/share/logstash/config/privateKey.key"
    ssl_key_passphrase => "****"
    ssl_verify => "false"
    ssl_supported_protocols => ['TLSv1.2', 'TLSv1.3']
    codec => "json_lines"
    tags => "ssl_TCPinput"}}


output {
opensearch {
hosts => ["***:9200","***:9200","***:9200"]
ssl => true
ssl_certificate_verification => false
user => "logstash-account"
password => "****"
index => "%{[@metadata][target_index]}-temporary-%{+YYYY-MM-dd}"
manage_template => false

I tried to find out way to use certs but I find out problem that I generated bad certificates for http I think.
Bcs my Opensearch.yml and certs there are:

plugins.security.ssl.transport.pemcert_filepath: esnode.pem
plugins.security.ssl.transport.pemkey_filepath: esnode-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
plugins.security.ssl.transport.enforce_hostname_verification: false

plugins.security.ssl.http.enabled: true
plugins.security.ssl.http.pemcert_filepath: server-opensearch-cert.pem
plugins.security.ssl.http.pemkey_filepath: server-opensearch-key8.pem
plugins.security.ssl.http.pemtrustedcas_filepath: cacert-all.pem

And when I try to use them in curl for some authentication:
curl -k https://localhost:9200 --cacert /etc/pki/opensearch/http/certs/cacert-all.pem --key /etc/pki/opensearch/http/keys/server-opensearch-key8.pem --cert /etc/pki/opensearch/http/certs/server-opensearch-cert.pem
I get an error : curl: (56) OpenSSL SSL_read: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown, errno 0 , which means Exception: Exception during establishing a SSL connecti
on: javax.net.ssl.SSLHandshakeException: Extended key usage does not permit use for TLS client authentication

so: This indicates that the client certificate has Extended Key Usage defined, which does NOT support client authentication. This error message indicates that the certificate is being for client authentication but the Extended Key Value indicates it can only be used for server authentication. Thus, you would go back to the CA to ask to get this fixed. SEAS always does client authentication and there is no way around it. You should get a certificate from your CA with both the server and client flags turned on.

So: I have to regenerate certs and 1) dont specify a key usage extension or 2) specify both “serverAuth” and “clientAuth” in there…

but my question is can Logstash use these certs to authenticate then?

And my next question is if I wanted only to mark this ssl_certificate_verification => false to true, what certs should I use? http cacert or transport cacert?

To your first question, you should be able to use certificates with Logstash as you have defined them, just without the Extended Key Usage. Give that a try.

To your second question, according to Elasticsearch output plugin | Logstash Reference [8.5] | Elastic, setting ssl_certificate_verification is not recommended. I would imagine http cacert would be called for, so try that.

1 Like

Okay, I will try, I will generate new certs, that won’t have set extended key usage.
I tried now using ssl_cert_verif with true but logstash shutdown on:
logstash.javapipeline ][on-prem] Pipeline error {:pipeline_id=>"on-premise", :exception=>#<Manticore::UnknownException: Certificate for <*ip address*> doesn't match any of the subject alternative names: []>
So I will enter SAN in my new certs too.
Then I hope I will get least one of these functions ready. Thx