handshake... ERROR x509: certificate signed by unknown authority
49 views
Skip to first unread message
redant
Jan 15, 2025, 9:15:36 PM1/15/25
to Wazuh | Mailing List
filebeat test output
elasticsearch: https://10.21.10.105:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.21.10.105
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority
netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 3461523/wazuh-authd
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 3461617/wazuh-remot
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 3461483/python3
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 65600/zabbix_agentd
tcp 0 0 10.21.10.105:443 0.0.0.0:* LISTEN 3722667/node
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1770878/sshd: /usr/
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 3772465/sshd: woonh
tcp6 0 0 10.21.10.105:9300 :::* LISTEN 3636728/java
tcp6 0 0 :::55000 :::* LISTEN 3461483/python3
tcp6 0 0 :::10050 :::* LISTEN 65600/zabbix_agentd
tcp6 0 0 :::22 :::* LISTEN 1770878/sshd: /usr/
tcp6 0 0 10.21.10.105:9200 :::* LISTEN 3636728/java
tcp6 0 0 ::1:6010 :::* LISTEN 3772465/sshd: woonh
tcp6 0 0 :::3000 :::* LISTEN 3408397/grafana-ser
"I think the error is caused by the firewall. Which ports should I open to resolve this issue?"
elasticsearch: https://10.21.10.105:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.21.10.105
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority
netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 3461523/wazuh-authd
tcp 0 0 0.0.0.0:1514 0.0.0.0:* LISTEN 3461617/wazuh-remot
tcp 0 0 0.0.0.0:55000 0.0.0.0:* LISTEN 3461483/python3
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 65600/zabbix_agentd
tcp 0 0 10.21.10.105:443 0.0.0.0:* LISTEN 3722667/node
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1770878/sshd: /usr/
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 3772465/sshd: woonh
tcp6 0 0 10.21.10.105:9300 :::* LISTEN 3636728/java
tcp6 0 0 :::55000 :::* LISTEN 3461483/python3
tcp6 0 0 :::10050 :::* LISTEN 65600/zabbix_agentd
tcp6 0 0 :::22 :::* LISTEN 1770878/sshd: /usr/
tcp6 0 0 10.21.10.105:9200 :::* LISTEN 3636728/java
tcp6 0 0 ::1:6010 :::* LISTEN 3772465/sshd: woonh
tcp6 0 0 :::3000 :::* LISTEN 3408397/grafana-ser
"I think the error is caused by the firewall. Which ports should I open to resolve this issue?"
Stuti Gupta
Jan 15, 2025, 10:30:06 PM1/15/25
to Wazuh | Mailing List
Hi team
It seems there is an issue with the certificates.
Check if you have the right certificate name in the configuration and if you have updated the configuration file with the right certificate name.
Wazuh Indexer:
Check the certificate name inside ls /etc/wazuh-indexer/certs/Permission for those indexer certificates should be
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
Now check the /etc/wazuh-indexer/opensearch.yml And check these configurations if you have the right certificate name.
Ex:
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
Ref:
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#deploying-certificates
Now restart the Wazuh indexer systemctl restart wazuh-indexerand check the output of the command to confirm if the indexer is ruining.
curl -k -u admin:admin_password https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?pretty
Filebeat:
Check the certificate name inside ls -lrt /etc/filebeat/certs/Permission for those filebeat certificates should be
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
Now check the /etc/wazuh-indexer/opensearch.yml And check these configurations if you have the right certificate name.
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
Now restart Wazuh manager and filebeat
systemctl restart wazuh-manager
systemctl restart filebeat
And check the output of this command filebeat test output
Ref: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#deploying-certificates
Is this happening to a fresh installation or after making changes in the old deployment?
Also please share the output of the following commands to verify the certificate:
openssl verify -CAfile /etc/filebeat/certs/root-ca.pem /etc/wazuh-indexer/certs/indexer.pem
openssl rsa -noout -modulus -in /etc/filebeat/certs/filebeat-key.pem | openssl md5
openssl x509 -noout -modulus -in /etc/filebeat/certs/filebeat.pem | openssl md5
Can you please let me know what is your current Wazuh version? You are facing an issue with filebeat only or is the dashboard also down?
Hope to hear from you soon
It seems there is an issue with the certificates.
Check if you have the right certificate name in the configuration and if you have updated the configuration file with the right certificate name.
Wazuh Indexer:
Check the certificate name inside ls /etc/wazuh-indexer/certs/Permission for those indexer certificates should be
# chmod 500 /etc/wazuh-indexer/certs
# chmod 400 /etc/wazuh-indexer/certs/*
# chown -R wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/certs
Now check the /etc/wazuh-indexer/opensearch.yml And check these configurations if you have the right certificate name.
Ex:
plugins.security.ssl.http.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.http.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.http.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /etc/wazuh-indexer/certs/wazuh-indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /etc/wazuh-indexer/certs/wazuh-indexer-key.pem
plugins.security.ssl.transport.pemtrustedcas_filepath: /etc/wazuh-indexer/certs/root-ca.pem
Ref:
https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/step-by-step.html#deploying-certificates
Now restart the Wazuh indexer systemctl restart wazuh-indexerand check the output of the command to confirm if the indexer is ruining.
curl -k -u admin:admin_password https://<WAZUH_INDEXER_IP_ADDRESS>:9200/_cat/nodes?pretty
Filebeat:
Check the certificate name inside ls -lrt /etc/filebeat/certs/Permission for those filebeat certificates should be
chmod 500 /etc/filebeat/certs
chmod 400 /etc/filebeat/certs/*
chown -R root:root /etc/filebeat/certs
Now check the /etc/wazuh-indexer/opensearch.yml And check these configurations if you have the right certificate name.
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/wazuh-server.pem"
ssl.key: "/etc/filebeat/certs/wazuh-server-key.pem"
Now restart Wazuh manager and filebeat
systemctl restart wazuh-manager
systemctl restart filebeat
And check the output of this command filebeat test output
Ref: https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#deploying-certificates
Is this happening to a fresh installation or after making changes in the old deployment?
Also please share the output of the following commands to verify the certificate:
openssl verify -CAfile /etc/filebeat/certs/root-ca.pem /etc/wazuh-indexer/certs/indexer.pem
openssl rsa -noout -modulus -in /etc/filebeat/certs/filebeat-key.pem | openssl md5
openssl x509 -noout -modulus -in /etc/filebeat/certs/filebeat.pem | openssl md5
Can you please let me know what is your current Wazuh version? You are facing an issue with filebeat only or is the dashboard also down?
Hope to hear from you soon
Reply all
Reply to author
Forward
0 new messages