logstash http_poller ssl certification issue

Question

I am trying to use logstash http_poller to query a server RESTAPI. I download the server pem through explore, and generate jks file with keytool. but we still get error "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target". Don't know what wrong.

The config like below:

http_poller {
    urls => {  
      restapi => {
         method => get
        url => "https://path_to_resources
        headers => {
          Accept => "application/json"
        }
        truststore => "/path/generated.truststore.jks"
        truststore_password => "xxx"
        ssl_certificate_validation => false
        auth => {
          user => "xxx"
          password => "xxx"
        }
      }
    }
    request_timeout => 60
    interval => 60000
    codec => "json"
    metadata_target => "http_poller_metadata"
  }
}      

By the way, what impact if ssl_certificate_validation is set as false?

Answer 1

I interpret OPs intention as to hopefully being able to disable TLS verification, which we still cant (logstash-7.11.1) and I plow on with how to get a trust store for these cases. This Q was one of my hits in pursuit of the same.

Some appliances will be running self signed certificates (another discussion ppl...) - so a small script to setup such a trust store could be helpful, especially if you are about to set up some automation internally.

Another caveat is that the self signed certificate still has to have a matching host name.

Based on the example from https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http_poller.html

NB! Further error checking, etc. is left at your discretion.

#!/bin/bash
# Fetch an http server's TLS certificate and
# create or update a JAVA keystore / truststore

usage () {
    echo "usage: get-cert.sh <hostname>:<port>"
    exit 1
}

TRUSTSTORE=cacert/trust.jks

PARAM=$1
HOSTNAME=$(echo "$PARAM" | cut -d: -f 1)
PORT=$(echo "$PARAM" | cut -d: -f 2)
REST=$(echo "$PARAM" | cut -d: -f 3-)

[ -z "$HOSTNAME" ] && usage
[ -z "$PORT" ] && usage
[ -n "$REST" ] && usage

OUTPUT=$(
openssl \
    s_client \
    -showcerts \
    -connect "${HOSTNAME}":"${PORT}" </dev/null 2>/dev/null | \
    openssl \
        x509 \
        -outform PEM)
EC=$?
[ $EC -ne 0 ] && { echo "ERROR EC=$EC - $OUTPUT" ; exit $EC ; }

keytool \
    -import \
    -storepass changeit \
    -alias ${HOSTNAME} \
    -noprompt \
    -file <(echo "$OUTPUT") \
    -keystore ${TRUSTSTORE}

Using some bash specific possibilities here. The alternative is to go through temporary files, as pr the official example (see link above).

Answer 2

Apparently your certificate is invalid . Regarding

ssl_certificate_validation 

it doesn't have real impact , http-puller is based on manticore, a ruby libary which relay on Apache HC
which does not support this hook see