Issues with SSL certificate validation in logstash output http plugin

[suraj-kamath]

There are two issues:

1. ssl_certificate_validation option is not taking effect. Irrespective of whether we give the value as true or false, it is always taken as true.
2. During SSL certification validation, logstash is doing a strict host name check. As part of this, it is not supporting wildcard certificates where CN is like *.subdomain.domain.com. Either this needs to be fixed or it would be ideal to have another option to the http plugin like, for example, "strict_host name_check" which can be set to true or false.

Logstash version :1.5.4
Http plugin version :1.1.0
java : 1.8.0_51.

[ayashjorden]

👍
Also experienced this behaviour.
@suraj-kamath nice description of the problem :)

[suraj-kamath]

@logstash-dev's can we have an update here ?

[ayashjorden]

@suraj-kamath I've found that 'ssl_certificate_validation' is used here.

Does it help?

[deeptjos]

Still awaiting response on this from "logstash-dev"
Please provide an update on this issue, Is there any plan of adding the changes in latest release ?

[suyograo]

ssl_certificate_validation option is not taking effect. Irrespective of whether we give the value as true or false, it is always taken as true.

@suraj-kamath is this plugin still trying to do cert validation when ssl_certificate_validation is false?

[clausy]

I'm getting the same error when using
ssl_certificate_validation => false
I get
"error" => "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

I just downloaded logstash 2.0 and installed the http_poller plugin

[deeptjos]

@logstash-dev's Any update on this ?
Also looks like Logstash does not support SNI, Please confirm.

[type0lang]

+1

[sameerpanicker]

I am also getting the same error.

"error" => "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

[NikolaeVarius]

+1 Getting same issue as above

[rlwmmw]

+1 Need a workaround!

[lifeofguenter]

+1

[sameerpanicker]

I was able to fix this problem. Check whether your application is using JDK or JRE. Based on that try installing the certificate in the keystore.
Let me know if you have any queries.

[dandrestor]

Same problem here.

[claudekenni]

same problem here:

"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

[RohanKumbhar1]

@sameerpanicker : great !! could you please help us here to fix this issue? may be list of steps to fix this would be great.

[sameerpanicker]

Go to Environment Variables and check if you are using JRE or JDK path as a JAVA_HOME value.
i.e. C:\Program Files\java\jdk1.8.0_74 or C:\Program Files\java\jre1.8.0_74

Based on that change JRE/JDK and execute this command using CMD

C:\Program Files\Java\jre1.8.0_74\bin
keytool -import -noprompt -trustcacerts -alias "CERT-NAME" -file "C:\Users\MYWORK\Desktop\QA.cer" -keystore "C:\Program Files\Java\jdk1.8.0_74\jre\lib\security\cacerts" -storepass changeit

Let me know if this works.

[dandrestor]

I managed to find the problem in my case, although I don't know if this would apply to everybody here.
See logstash-plugins/logstash-output-elasticsearch#433

@suraj-kamath can you check if this is a duplicate?

[amulyas]

+1 same issue any workaround here?

[breml]

Creating my own truststore with the keytool and using the configuration options keystore and keystore_password did not work for me. Adding the same certificate the same way to the $JAVA_HOME/jre/lib/security/cacerts truststore solved the problem for me.

Using logstash version 2.4.1.

[slalomnut]

breml's work around did the trick for me.

[blacklobo]

@dandrestor output HTTP does not have an valid setting of "ssl". So that solution will not work.

This problem is still present in Logstash version 5.3.1

[yaoyaminaco0571]

@bernielomax as the error output mentioned "logstash unable to find valid certification path to requested target", you should add a fake path to it since the code needs.

The configuration is worked fine for me:

    ssl => true
    ssl_certificate_verification => false
    truststore => "/home/admin/server/elasticsearch-current/config/truststore.jks"
    truststore_password => changeit
    user => logstash
    password => logstash

If OK pls feedback. I guess it will work around the problem met in http output. @blacklobo

Caution: the jks file should be exists and readable for logstash.

[Petrox]

This issue is open since 2015.

[AverageS]

@Petrox +1
Issue is opened since 2015 and still option ssl_certificate_verification => false doesnt do anything.

[ashmilhussain]

+1 same issue as everyone else.

[NihilBabu]

same issue need help urgently

[agberoz]

+1 same issue here

[samrui]

+1 same issure

[taajuni2]

+1 same issue here

[pedrolauro]

+1 Same issue here...

[fkellner]

+1 same issue with a wildcard certificate not being recognized here.

[jwhiteman36]

+1 same issue.

[Beeez]

+1 Having the same problem

[GreggBzz]

+1, same issue using wildcards and/or ignoring certification verification.

[qwerty1q2w]

+1

[mazurdv]

+1

[mldaali]

+1

[dchsueh]

+1

[denisvll]

+1

[sennl]

+1

[thunderwood19]

Since 2015...

[zgfh]

+1

[hamparid]

+1 (We have wildcard Certs AND SSL settings to turn off verification in LS don't work)

[M9k]

+1

[smnschndr]

+1

[jeffwong-mocs]

@yaoyaminaco0571 's suggestion to add truststore path worked for me in v7.16.1

@bernielomax as the error output mentioned "logstash unable to find valid certification path to requested target", you should add a fake path to it since the code needs.

The configuration is worked fine for me:

    ssl => true
    ssl_certificate_verification => false
    truststore => "/home/admin/server/elasticsearch-current/config/truststore.jks"
    truststore_password => changeit
    user => logstash
    password => logstash

If OK pls feedback. I guess it will work around the problem met in http output. @blacklobo

Caution: the jks file should be exists and readable for logstash.

[yaoyaminaco0571]

这是来自QQ邮箱的假期自动回复邮件。   您好，我最近正在休假中，无法亲自回复您的邮件。我将在假期结束后，尽快给您回复。

[bastianhjaeger]

Facing the same issue (out of a sudden) with no cert used at all .

This is my output section:

  elasticsearch {
    hosts => "https://elastic.xxx.de:9200"
    ssl => true
    ssl_certificate_verification => false
    document_id => "someid"
    user => "user"
    password => "password"
    doc_as_upsert => true
    action => "update"
  }

And I have no truststore to set ot a cacert.

[kares]

A lot has been going on here over the years, but let me tackle this down:

• the http_client mixin and thus output-http plugin at some point had the ssl_certificate_validation option
• the ssl_certificate_validation => false had no effect and was later removed to confuse users
• Feat: support ssl_verification_mode => 'full' / 'none' #126 added a new option ssl_verification_mode

The updated http output which can be used to disable verification (using ssl_verification_mode => none) will be part of Logstash 8.1, in the mean time try bin/logstash-plugin update logstash-output-http (which should update the plugin to >= 5.3.0)

The issue also mentions ES output with the ssl_certificate_verification => false option, the issue while similar do not have the same cause - for ES output disabling verification had some effect (allowing self-signed certificates) but did not disable verification completely. This issue has also been resolved and should be available since Logstash 7.17.0.

[yaoyaminaco0571]

这是来自QQ邮箱的假期自动回复邮件。   您好，我最近正在休假中，无法亲自回复您的邮件。我将在假期结束后，尽快给您回复。