Can't get nxlog to logstash with SSL working

Question

I've bought a certificate from DigiCert. So I got the files; DigiCertCA.crt, mydomain_com.crt mydomain_com.key

I changed my logstash config to this;

tcp {
    type => "AppLog"
    port => 5656
    host => "mydomain.com"
    ssl_cacert => "C:/Certificates/DigiCertCA.crt"
    ssl_cert => "C:/Certificates/mydomain_com.crt"
    ssl_key => "C:/Certificates/mydomain_com.key"
    ssl_enable => true
    ssl_verify => true
}

And then changed my nxlog config to this (running on different machine):

<Output App_Out>
    Module      om_ssl
    Host        mydomain.com
    Port        5656
    CAFile      C:\NxLogCerts\DigiCertCA.crt
    CertFile    C:\NxLogCerts\mydomain_com.crt
    OutputType  LineBased
</Output>

And I've tried many different parameters, removed some, added some like AllowUntrusted etc on both side. No luck.

Tested with openssl;

$ openssl s_client -CAfile DigiCertCA.pem -connect mydomain.com:5960
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = CountryCode, ST = State, L = City, O = CompanyName AS, CN = mydomain.com
verify return:1
---
Certificate chain
 0 s:/C=CountryCode/ST=State/L=City/O=CompanyName/CN=mydomain.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
subject=/C=CountryCode/ST=State/L=City/O=XompanyName/CN=mydomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1801 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: -----------Removed
    Session-ID-ctx:
    Master-Key: -----------Removed
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1441375513
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Which seems good..?

Any pointers to find out what the acutal problem is? Am I doing it wrong?

EDIT: Ofcourse I forgot the error messages; On the nxlog-client sending to logstash

2015-09-04 16:17:21 INFO nxlog-ce-2.9.1347 started
2015-09-04 16:17:21 INFO connecting to mydomain.com:5960
2015-09-04 16:17:21 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:21 INFO reconnecting in 1 seconds
2015-09-04 16:17:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
2015-09-04 16:17:22 INFO connecting to mydomain.com:5960
2015-09-04 16:17:22 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:22 INFO reconnecting in 1 seconds
2015-09-04 16:17:22 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)

And on the logstash server

{:timestamp=>"2015-09-04T16:25:52.976000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}
{:timestamp=>"2015-09-04T16:25:53.992000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}

Answer 1

I had a similar problem with awesant and logstash, I also am using DigiCert certeficates. In my case the problem was that one of the endpoints didn't have the complete certificate chain.

I created a file 'x' and have put in there the DigiCertCA.crt and TrustedRoot.crt contents and using that file as the CA certificate everything seems to work just fine.

Answer 2

• I can't really tell what's wrong since you have not posted any error messages.
• Buying certificates for this was a waste of money. You should create your own CA cert (with openssl for instance) and then generate the cert+key pair for each entity. There are plenty of howtos on the net.
• om_ssl usually needs CertKeyFile together with CertFile.
• The openssl s_client test you ran does not verify (there is a -verify switch for that), on the other hand certificate verification is turned on at both ends.
• Try with AllowUntrusted TRUE to see if that helps.