无法通过SSL工作将nxlog用于logstash

时间:2015-09-04 14:11:00

标签: ssl openssl logstash nxlog

我已经从DigiCert购买了证书。所以我得到了文件; DigiCertCA.crt,mydomain_com.crt mydomain_com.key

我将我的logstash配置更改为此; 

$("#grid").jqGrid("setGridParam", {
    rowNum: rows,
    postData: {
        submitFlag: submitFlag,
        newRowMapData: newRowMapData,
        existingRowMapData: existingRowMapData
    }
}).trigger("reloadGrid", [{ page: page }]);

然后将我的nxlog配置更改为此(在不同的计算机上运行):

tcp {
    type => "AppLog"
    port => 5656
    host => "mydomain.com"
    ssl_cacert => "C:/Certificates/DigiCertCA.crt"
    ssl_cert => "C:/Certificates/mydomain_com.crt"
    ssl_key => "C:/Certificates/mydomain_com.key"
    ssl_enable => true
    ssl_verify => true
}

我尝试了许多不同的参数,删除了一些参数,并在两侧添加了一些像AllowUntrusted等。没有运气。

使用openssl测试; 

<Output App_Out>
    Module      om_ssl
    Host        mydomain.com
    Port        5656
    CAFile      C:\NxLogCerts\DigiCertCA.crt
    CertFile    C:\NxLogCerts\mydomain_com.crt
    OutputType  LineBased
</Output>

哪个好看......?

有什么指示可以找出真正的问题是什么?我做错了吗?

编辑: 当然我忘记了错误信息; 在nxlog-client上发送到logstash 

$ openssl s_client -CAfile DigiCertCA.pem -connect mydomain.com:5960
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = CountryCode, ST = State, L = City, O = CompanyName AS, CN = mydomain.com
verify return:1
---
Certificate chain
 0 s:/C=CountryCode/ST=State/L=City/O=CompanyName/CN=mydomain.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
subject=/C=CountryCode/ST=State/L=City/O=XompanyName/CN=mydomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1801 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: -----------Removed
    Session-ID-ctx:
    Master-Key: -----------Removed
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1441375513
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

在logstash服务器上

2015-09-04 16:17:21 INFO nxlog-ce-2.9.1347 started
2015-09-04 16:17:21 INFO connecting to mydomain.com:5960
2015-09-04 16:17:21 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:21 INFO reconnecting in 1 seconds
2015-09-04 16:17:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
2015-09-04 16:17:22 INFO connecting to mydomain.com:5960
2015-09-04 16:17:22 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:22 INFO reconnecting in 1 seconds
2015-09-04 16:17:22 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)

2 个答案:

答案 0 :(得分:0)

  • 由于您没有发布任何错误消息,我无法说出错误。
  • 为此购买证书是浪费金钱。您应该创建自己的CA证书(例如使用openssl),然后为每个实体生成证书+密钥对。网上有很多声音。
  • om_ssl通常需要 CertKeyFile 以及 CertFile
  • 您运行的 openssl s_client 测试未验证(有 -verify 开关),另一方面,证书验证在两端都已打开。
  • 尝试 AllowUntrusted TRUE 以查看是否有帮助。

答案 1 :(得分:0)

我在awesant和logstash方面遇到了类似的问题,我也在使用DigiCert认证。就我而言,问题是其中一个端点没有完整的证书链。

我创建了一个文件&#39; x&#39;并且已经放入了DigiCertCA.crt和TrustedRoot.crt内容,并使用该文件作为CA证书,一切似乎都运行正常。

相关问题
最新问题