Logstash-forwarder says certificate signed by unknown authority when using a self-signed certificate with SubjectAltName

Question

I'm trying to connect to logstash with logstash-forwarder. Their communication base on ssl so I generate a self-signed certificate follows this. Then I got this error message on logstash-forwarder side:

Failed to tls handshake with 9.21.61.19 x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "*.*.*.*.*")

If I generate the certificate without subject alt name, it will work. The worked certificate can be generated by:

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=*.*.*.*.*

But what I'm hoping to do is to generate a certificate which can be used in different kinds of host. To do that I want to generate a ssl certificate whose CN=*.*.*.*.*, then alt names include *, *.*, *.*.* etc.

Is there any suggestion on how can I overcome this ssl error? Or a better way to make logstash-forwarder can work in a variety of environments?

Answer 1

Have you mentioned the pem file in "ssl ca" the logstash-forwarder.conf ? You have to mention the pem file which is used to sign the certificate in conf.

Answer 2

Turns out, when I removed the

keyUsage = digitalSignature, keyEncipherment

in [ v3_ca ], which is asked in the guide, the generated certificate do works for a variety of host names.

This may not be a right scenario for SSL. But for the logstash/logstash-forwarder case, it do helps.