search

elastic / logstash

Logstash - transport and process your logs, events, or other data
https://www.elastic.co/products/logstash
Other
14.2k stars 3.5k forks source link

Logstash fails to start with no password for keystore specified #11110

Open vklimovs opened 5 years ago

vklimovs commented 5 years ago

Logstash (7.2.0) with following configuration

input { beats { port => 5044 } }

output { elasticsearch { hosts => [ 'https://host:9200' ] keystore => '/etc/ssl/logstash/host.p12' cacert => '/etc/ssl/logstash/ca.crt' } }

Fails to start with following errors:

[ERROR] 2019-09-02 22:00:56.754 [[main]-pipeline-manager] javapipeline - Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<NoMethodError: undefined method toCharArray' for nil:NilClass>, :backtrace=>["/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:692:inblock in get_store'", "org/jruby/RubyKernel.java:1885:in tap'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:690:inget_store'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:647:in setup_key_store'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:622:inssl_socket_factory_from_options'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:397:in pool_builder'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:405:inpool'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/client.rb:209:in initialize'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:26:ininitialize'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:282:in build_adapter'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:286:inbuild_pool'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client.rb:64:in initialize'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:103:increate_http_client'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/http_client_builder.rb:99:in build'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch.rb:238:inbuild_client'", "/opt/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.1.0-java/lib/logstash/outputs/elasticsearch/common.rb:25:in register'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:106:inregister'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:48:in register'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:192:inblock in register_plugins'", "org/jruby/RubyArray.java:1792:in each'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:191:inregister_plugins'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:462:in maybe_setup_out_plugins'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:204:instart_workers'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:146:in run'", "/opt/logstash/logstash-core/lib/logstash/java_pipeline.rb:105:inblock in start'"], :thread=>"#"} [ERROR] 2019-09-02 22:00:56.764 [Converge PipelineAction::Create

] agent - Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create
, action_result: false", :backtrace=>nil}

adding

keystore_password => ''

to configuration allows Logstash to start successfully.

Logstash should assume that if no password is specified it's an empty password.

bruno-lopes commented 5 years ago

The same holds true to truststore:

elasticsearch {
            hosts => ["https://elasticsearch-03"]
            index => "radius-%{+YYYY-MM-dd}"
            user => logstash_system
            password => "PASSWORD"
            ssl => true
            ssl_certificate_verification => true
            truststore => "/etc/logstash/config/certs/ca.p12"
            truststore_password => ''
            #template => "/usr/share/logstash/templates/logstash-radius.json"
            #template_overwrite => true
            #template_name => "logstash-radius"
        }

Without truststore_password, I get the same error.

VimCommando commented 4 years ago

I ran into this today when troubleshooting a Logstash certificate connectivity issue.

regulatre commented 4 years ago

I would propose the output plugin defaults to a keystore_password value of "changeit", which would match the default keystore password used by Java, the logstash dockerhub container, etc.