logstash-forwarder failed to tls handshake cannot validate cert because it doesnt contain any IP SANS

Question

I have a logstash / elastic search / kibana server on ubuntu 14.x 64bit.

I have a few other servers with the same spec using logstash-forwarder, and everything is working as expected.

However, when I setup a 32bit centos 6 server, with a config like:

I get the folowing error:

Failed to tls handshake with x.x.x.x x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs

If I change that config, and put the DNS in, instead of the ip, I get the following error:

Failed to tls handshake with x.x.x.x x509: certificate is valid for , not my-dns.com

any guidance greatly appreciated..

**UPDATE: It appears that this does not happen on a 64bit system where I can install the logstash-forwarder rpm. So the issue may be in the 32bit version that I downloaded and compiled with go.

score 6 · Accepted Answer · answered Oct 25 '14 at 07:24

I fixed this by generating a new certificate without the -batch parameter. This means the certificate asked for "common name" when generating it.

I put the logstash server dns as the common name, replaced the old certificates with the new one, and it worked. Here is the command I used to generate the new certificate:

openssl req -x509 -nodes -newkey rsa:2048 -keyout logstash-forwarder.key -out logstash-forwarder.crt

logstash-forwarder failed to tls handshake cannot validate cert because it doesnt contain any IP SANS

1 Answers1