Still having filebeat certificate issues with server

[Angus Woodbury]

Alright, I am giving this one more try before I decide that I have had enough.  I posted yesterday but didn't receive any responses and tried to give more information but that message was deleted.  I guess between that and the lack of answers for people with similar issues doesn't give me much hope, but I wanted to give one more college try in case I didn't provide something useful.

I have reinstalled a few times now, doing the all in one, and trying both the unattended and step by step.

The problem:

elasticsearch: https://127.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... ERROR Get "https://127.0.0.1:9200": remote error: tls: unknown certificate

So the cert is validated, but between the server and filebeat (I assume, I still havent figure out how the admin "client" certs are used or if they need to be setup any specific way) is not.  I have confirmed they are using the same CA file.  Curling127.0.0.1:9200 works just fine:

{
  "name" : "node-1",
  "cluster_name" : "wazuh-cluster",
  "cluster_uuid" : "GeSvBiO9Ru-IZ5cPqIa48g",
  "version" : {
    "number" : "7.10.2",
    "build_flavor" : "oss",
    "build_type" : "deb",
    "build_hash" : "747e1cc71def077253878a59143c1f785afa92b9",
    "build_date" : "2021-01-13T00:42:12.435326Z",
    "build_snapshot" : false,
    "lucene_version" : "8.7.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

With the current install I did the unattended all in one and just replaced the certs manually, directory by directory (root-ca, elasticsearch, admin, filebeat and kibana), just to make sure that I made no mistakes.

I have regenerated the certs about a million times.  It seems to be very sensitive about everything.  I have played around with the common name and the alternative names in just about every conceivable way.  While this is my first foray into anything OSS ossec it is definitely not when it comes to SSL and application/web security.  Please let me know if any of my config files would help.  They are default for the most part.

As far as logs, I get zilch from filebeat or elasticsearch logs.  My wazuh-cluster log did have this though:

Caused by: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL client

That might be relevant, but I havent been able to figure out what it means for me here despite a decent amount of time on google searching through forums and help posts.

Any help for this poor old sap or is it time for me to find something more manageable for my meager CA skills/knowledge?

[Daniel D'Angeli]

Not a "wazuh official" but i can try to help.

I had similar problems to with certificate generations, the only thing that worked for me was to change node name and regenerate the certificates.

Hope this helps.,

Daniel D.

[Angus Woodbury]

Thanks Daniel!  Did the node name have to match the common name?

[Daniel D'Angeli]

Hi,

doesnt need to. I changed it to a random node name and it worked. Not sure it it's a bug or something im missing but thankfully it worked.

Best regards,

Daniel D.