how to configure metricbeat connect to elasticsearch with ssl

I try configure metricbeat to ssl connect, but when start metricbeat i have this error:

2018-11-28T17:43:31.512Z INFO instance/beat.go:286 Setup Beat: metricbeat; Version: 6.4.3

2018-11-28T17:43:31.514Z ERROR tlscommon/tls.go:63 Failed loading client certificate%!(EXTRA *errors.errorString=tls: failed to parse private key)

2018-11-28T17:43:31.514Z INFO instance/beat.go:340 metricbeat stopped.

2018-11-28T17:43:31.538Z ERROR instance/beat.go:764 Exiting: error initializing publisher: 1 error: tls: failed to parse private key

config:

#-------------------------- Elasticsearch output ------------------------------

output.elasticsearch:

Array of hosts to connect to.

hosts: [“hostname:9200”]

Optional protocol and basic auth credentials.

protocol: “https”

#username: “admin”

#password: “admin”

#ssl.verification_mode: none

ssl.certificate_authorities: ["/etc/metricbeat/root-ca.pem"]

ssl.certificate: “/etc/metricbeat/dev-test.pem”

ssl.key: “/etc/metricbeat/dev-test.key”

ssl.key_passphrase: ‘xxxxxx’

When i try use user-password - all work fine.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

Search Guard and elasticsearch 6.4.3

  • Installed and used enterprise modules, if any

No

  • JVM version and operating system version

OpenJDK 1.8.0_191, OS CentOS 7.5

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Seems like metricbeat (which is implemented in golang) does not like your /etc/metricbeat/dev-test.key keyfile.

Make sure the password given with “ssl.key_passphrase” is correct.

How did you generate this? With OpenSSL? Then pls look here: https://discuss.elastic.co/t/filebeat-private-key-parse-error/119633/5

So it seems the private key is not in PKCS8 format. Maybe this helps:

As this is not a directly Search Guard related issue you may want to ask your question also here: https://discuss.elastic.co/

···

On Wednesday, 28 November 2018 18:49:28 UTC+1, Konstantin Fetisov wrote:

I try configure metricbeat to ssl connect, but when start metricbeat i have this error:

2018-11-28T17:43:31.512Z INFO instance/beat.go:286 Setup Beat: metricbeat; Version: 6.4.3

2018-11-28T17:43:31.514Z ERROR tlscommon/tls.go:63 Failed loading client certificate%!(EXTRA *errors.errorString=tls: failed to parse private key)

2018-11-28T17:43:31.514Z INFO instance/beat.go:340 metricbeat stopped.

2018-11-28T17:43:31.538Z ERROR instance/beat.go:764 Exiting: error initializing publisher: 1 error: tls: failed to parse private key

config:

#-------------------------- Elasticsearch output ------------------------------

output.elasticsearch:

Array of hosts to connect to.

hosts: [“hostname:9200”]

Optional protocol and basic auth credentials.

protocol: “https”

#username: “admin”

#password: “admin”

#ssl.verification_mode: none

ssl.certificate_authorities: ["/etc/metricbeat/root-ca.pem"]

ssl.certificate: “/etc/metricbeat/dev-test.pem”

ssl.key: “/etc/metricbeat/dev-test.key”

ssl.key_passphrase: ‘xxxxxx’

When i try use user-password - all work fine.

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

Search Guard and elasticsearch 6.4.3

  • Installed and used enterprise modules, if any

No

  • JVM version and operating system version

OpenJDK 1.8.0_191, OS CentOS 7.5

  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any