"Host name does not match the certificate subject provided by the peer"

[Sjaak01]

Hi,

I'm getting the following error when I try to poll a website running a self signed certificate.

"Host name '192.168.1.35' does not match the certificate subject provided by the peer" The CN of the certificate is something like CN=*.device.maker.com.

It looks like logstash is doing strict domain checking? I'm very unfamiliar with certificates so I'm not entirely sure what is going.

• If I run curl -k (no ssl verification) it works.
• I tried looking for a way to disable verification in the plugin but it doesn't look like there is any way to do this or there was but it never actually worked?

How can I fix this? Changing the certificate on the device is not an option.

Thanks.

edit:
config:

input {
  http_poller {
    urls => {
      kvh => "https://192.168.1.35/web.cgi?gn=1"
     }
    cacert => "/etc/logstash/downloaded_cert.pem"
    truststore => "/etc/logstash/downloaded_truststore.jks"
    truststore_password => "test123"
    schedule => { cron => "5 * * * * UTC"}
    codec => "json"
  }
}

The .pem and .jks where created using the docs on the Elastic website. I obtained the .crt by downloading it from Firefox.

Curl doesn't seem to work with the created .pem (or original .crt) either.
curl --cacert $/etc/logstash/downloaded_cert.pem --request GET https://192.168.1.35/web.cgi?gn=1 curl: (77) Problem with the SSL CA cert (path? access rights?)

[ninjadude333]

i'm having the same issue when running on linux ubuntu and windows.

[milesgillham]

You can turn off ssl verification (if you're confident there won't be a man-in-the-middle attack) by turning off ssl certificate verification (last two lines):

input {
    http_poller {
      urls => {
        kvh => "https://192.168.1.35/web.cgi?gn=1"
       }
      cacert => "/etc/logstash/downloaded_cert.pem"
      truststore => "/etc/logstash/downloaded_truststore.jks"
      truststore_password => "test123"
      schedule => { cron => "5 * * * * UTC"}
      codec => "json"
      ssl => true
      ssl_certificate_verification => false
    }
  }

[sikishen]

"ssl_certificate_verification" deprecated.

[peasead]

I had this same issue. To work around this I made an entry in my hostfile and recreated the truststore files.

So in /etc/hosts, you could add 192.168.1.35 kvh and then re-run:

openssl s_client -showcerts -connect kvh </dev/null 2>/dev/null | openssl x509 -outform PEM > downloaded_cert.pem; keytool -import -alias logstash -file downloaded_cert.pem -keystore downloaded_truststore.jks

and finally update your Logstash config to kvh => "https://kvh/web.cgi?gn=1" from kvh => "https://192.168.1.35/web.cgi?gn=1

I'm sure you've move on past this by now, but in the event any other wayward Internet searcher finds this...it worked for me 👍

[piellick]

Hi everyone, still no news about bypassing ssl verification for self signed certificate ? This option looks critically needed.

[sgreszcz]

I just opened another issue on this: #115

This is critically needed. Other tools like python's requests and postman allow this flag to accept self-signed certificates.

Running Logstash (especially as a Docker ingest appliance) against HTTPs endpoints and having to manually manage a JKS is not easy to automate, nor scale.

[sgreszcz]

Could we please reinstate these flags on http_poller?

ssl => true
ssl_certificate_verification => false

[edmocosta]

Closing this issue as it seem to be already supported by newer versions of the plugin.

Although it's not recommended, it's possible to ignore the certificate validation by setting the ssl_verification_mode to none. That option has the same impact as the deprecated ssl_certificate_verification => false.

In the near future, It will support another verification mode that validates the provided certificate, verifies it’s signed by a trusted authority (CA), but doesn’t check the certificate hostname (elastic/logstash#14905).

Please re-open the issue if you think it doesn't solve the problem.

Thank you!