Menu
I'm trying to connect to logstash with logstash-forwarder. Their communication base on ssl so I generate a self-signed certificate follows this. Then I got this error message on logstash-forwarder side:
Failed to tls handshake with 9.21.61.19 x509: certificate signed by unknown authority (possibly because of "x509: invalid signature: parent certificate cannot sign this kind of certificate" while trying to verify candidate authority certificate "*.*.*.*.*")
If I generate the certificate without subject alt name, it will work. The worked certificate can be generated by:
openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=*.*.*.*.*
But what I'm hoping to do is to generate a certificate which can be used in different kinds of host. To do that I want to generate a ssl certificate whose CN=*.*.*.*.*, then alt names include *, *.*, *.*.* etc.
Is there any suggestion on how can I overcome this ssl error? Or a better way to make logstash-forwarder can work in a variety of environments?
520
asked Jan 22 '26 08:01
Turns out, when I removed the
keyUsage = digitalSignature, keyEncipherment
in [ v3_ca ], which is asked in the guide, the generated certificate do works for a variety of host names.
This may not be a right scenario for SSL. But for the logstash/logstash-forwarder case, it do helps.
71
answered Jan 27 '26 02:01
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With