我从 DigiCert 购买了证书。所以我得到了文件;DigiCertCA.crt, mydomain_com.crt mydomain_com.key
我将我的 logstash 配置更改为这个;
tcp {
type => "AppLog"
port => 5656
host => "mydomain.com"
ssl_cacert => "C:/Certificates/DigiCertCA.crt"
ssl_cert => "C:/Certificates/mydomain_com.crt"
ssl_key => "C:/Certificates/mydomain_com.key"
ssl_enable => true
ssl_verify => true
}
然后将我的 nxlog 配置更改为此(在不同的机器上运行):
<Output App_Out>
Module om_ssl
Host mydomain.com
Port 5656
CAFile C:\NxLogCerts\DigiCertCA.crt
CertFile C:\NxLogCerts\mydomain_com.crt
OutputType LineBased
</Output>
而且我尝试了许多不同的参数,删除了一些参数,在两侧添加了一些像 AllowUntrusted 等。没运气。
用openssl测试;
$ openssl s_client -CAfile DigiCertCA.pem -connect mydomain.com:5960
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = CountryCode, ST = State, L = City, O = CompanyName AS, CN = mydomain.com
verify return:1
---
Certificate chain
0 s:/C=CountryCode/ST=State/L=City/O=CompanyName/CN=mydomain.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
CERTIFICATE
-----END CERTIFICATE-----
subject=/C=CountryCode/ST=State/L=City/O=XompanyName/CN=mydomain.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1801 bytes and written 462 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES128-SHA
Session-ID: -----------Removed
Session-ID-ctx:
Master-Key: -----------Removed
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1441375513
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
哪个看起来不错..?
任何指示找出实际问题是什么?我做错了吗?
编辑:当然我忘记了错误信息;在 nxlog-client 发送到 logstash
2015-09-04 16:17:21 INFO nxlog-ce-2.9.1347 started
2015-09-04 16:17:21 INFO connecting to mydomain.com:5960
2015-09-04 16:17:21 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:21 INFO reconnecting in 1 seconds
2015-09-04 16:17:21 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
2015-09-04 16:17:22 INFO connecting to mydomain.com:5960
2015-09-04 16:17:22 INFO successfully connected to mydomain.com:5960
2015-09-04 16:17:22 INFO reconnecting in 1 seconds
2015-09-04 16:17:22 ERROR SSL certificate verification failed: unable to get issuer certificate (err: 2)
在logstash服务器上
{:timestamp=>"2015-09-04T16:25:52.976000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}
{:timestamp=>"2015-09-04T16:25:53.992000+0200", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: Unrecognized SSL message, plaintext connection?>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:238:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/jruby/lib/ruby/shared/jopenssl19/openssl/ssl-internal.rb:142:in `accept'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:182:in `run_server'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-1.0.0/lib/logstash/inputs/tcp.rb:170:in `run'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:177:in `inputworker'", "C:/elkstack/logstash-1.5.3/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:171:in `start_input'"], :level=>:error}