MetricBeats input TLS Client Auth Trusted Certs not working

puck · February 2, 2018, 9:52pm

I’m trying to enable Beats input HTTPS with Graylog 2.4 on MetricBeats, and use mutual TLS with client certificates uploaded to Graylog. It works specifying the file path of a specific client cert. But with the directory option, receiving error:
Caused by: java.io.IOException: Short read of DER length

I have tried:
/etc/openssl/
/etc/openssl

Anyone run into this?

jochen · February 3, 2018, 9:30am

Which directory option?

puck · February 3, 2018, 3:57pm

When I edit the Beats input plugin, here:
System --> Inputs
Stop Input
More Actions --> Edit Input
Scroll down to input field: TLS Client Auth Trusted Certs(optional)

When I input: /etc/openssl

It doesn’t work.

When I input: /etc/openssl/clientcert.cert

It works. It says that directory or file can be used, “TLS Client Auth Trusted Certs (File or Directory)”

jochen · February 3, 2018, 4:43pm

What’s in the logs of your Graylog node?
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html

puck · February 3, 2018, 5:53pm

Thank you for helping me.

I had tried to communicate this in the first post, the error is “short read of DER length.”

I’m on Ubuntu 16.04, and logfile is “/var/log/graylog-server/server.log”

Here is copy and paste from relevant log:

`java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length
at sun.security.x509.X509CertImpl.(X509CertImpl.java:198) ~[?:1.8.0_151]

jochen · February 4, 2018, 10:23am

Please post the complete log and not just some arbitrary line.

Also, please post the output of the following commands:

$ namei -l /etc/openssl/*
$ file /etc/openssl/*

puck · February 4, 2018, 4:04pm

Here is complete log:

2018-02-04T15:57:00.889Z WARN [AbstractNioSelector] Failed to initialize an accepted socket.
java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Short read of DER length
at sun.security.x509.X509CertImpl.(X509CertImpl.java:198) ~[?:1.8.0_151]
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:471) ~[?:1.8.0_151]
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:356) ~[?:1.8.0_151]
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_151]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:91) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:103) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.util.KeyUtil.initTrustStore(KeyUtil.java:73) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.createSslEngine(AbstractTcpTransport.java:199) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:186) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$1.call(AbstractTcpTransport.java:182) ~[graylog.jar:?]
at org.graylog2.plugin.inputs.transports.NettyTransport$1.getPipeline(NettyTransport.java:110) ~[graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.registerAcceptedChannel(NioServerBoss.java:134) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.process(NioServerBoss.java:104) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioServerBoss.run(NioServerBoss.java:42) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
Caused by: java.io.IOException: Short read of DER length
at sun.security.util.DerInputStream.getLength(DerInputStream.java:582) ~[?:1.8.0_151]
at sun.security.util.DerValue.(DerValue.java:258) ~[?:1.8.0_151]
at sun.security.util.DerInputStream.getDerValue(DerInputStream.java:451) ~[?:1.8.0_151]
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1784) ~[?:1.8.0_151]
at sun.security.x509.X509CertImpl.(X509CertImpl.java:195) ~[?:1.8.0_151]

root@freya:/etc/openssl# namei -l /etc/openssl/*
f: /etc/openssl/cacerts.jks
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog cacerts.jks
f: /etc/openssl/create_ssl_certs.sh
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rwxr-xr-x graylog graylog create_ssl_certs.sh
f: /etc/openssl/freya.domain.net.cert.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog freya.domain.net.cert.pem
f: /etc/openssl/freya.domain.net.pkcs5-plain.key.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog freya.domain.net.pkcs5-plain.key.pem
f: /etc/openssl/freya.domain.net.pkcs8-encrypted.key.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog freya.domain.net.pkcs8-encrypted.key.pem
f: /etc/openssl/freya.domain.net.pkcs8-plain.key.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog freya.domain.net.pkcs8-plain.key.pem
f: /etc/openssl/graylog-cert.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog graylog-cert.pem
f: /etc/openssl/host.clientdomain.net.cert.pem
drwxr-xr-x root root /
drwxr-xr-x root root etc
drwxr-xr-x graylog graylog openssl
-rw-r–r-- graylog graylog host.clientdomain.cert.pem
root@freya:/etc/openssl#

root@freya:/etc/openssl# file /etc/openssl/*
/etc/openssl/cacerts.jks: Java KeyStore
/etc/openssl/create_ssl_certs.sh: Bourne-Again shell script, ASCII text executable, with very long lines
/etc/openssl/freya.domain.net.cert.pem: PEM certificate
/etc/openssl/freya.domain.net.pkcs5-plain.key.pem: ASCII text
/etc/openssl/freya.domain.net.pkcs8-encrypted.key.pem: ASCII text
/etc/openssl/freya.domain.net.pkcs8-plain.key.pem: ASCII text
/etc/openssl/graylog-cert.pem: PEM certificate
/etc/openssl/host.clientdomain.net.cert.pem: PEM certificate
root@freya:/etc/openssl#

jochen · February 5, 2018, 8:31am

Try providing a directory which only contains valid certificates and no other files.

puck · February 5, 2018, 3:46pm

That worked perfectly well. Thank you! I just created a new directory of /etc/openssl/clients and copied the one client generated public certificate into the directory. Re-started the plugin and specified that directory, and it worked. THANK YOU!

system · February 19, 2018, 3:46pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Beats input with TLS enabled - authentication problem Graylog Central (peer support)	4	3325	April 29, 2020
Certificate/TLS Issue Graylog Central (peer support)	15	4961	June 24, 2020
Graylog TLS client authentication Unknown beats protocol version Graylog Central (peer support)	2	532	December 27, 2022
TLS Client Authentication: "No certificate data found" Graylog Central (peer support)	6	4303	March 19, 2019
Graylog beats input TLS enable Error Graylog Central (peer support) sidecar , nxlog , filebeat-linux , nodatanx , send-csv-logsnx , nosendlogfblx	10	5734	November 27, 2017

MetricBeats input TLS Client Auth Trusted Certs not working

Related topics