From 726d3a08d02f516700a0ebf12709c0edec1ecda3 Mon Sep 17 00:00:00 2001 From: edmocosta <11836452+edmocosta@users.noreply.github.com> Date: Thu, 15 Jun 2023 13:38:30 +0200 Subject: [PATCH 1/2] Add monitoring/management xpack SSL regression note --- docs/static/releasenotes.asciidoc | 36 +++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/docs/static/releasenotes.asciidoc b/docs/static/releasenotes.asciidoc index 505bc33b543..443d5ffe3fb 100644 --- a/docs/static/releasenotes.asciidoc +++ b/docs/static/releasenotes.asciidoc @@ -120,6 +120,42 @@ This section summarizes the changes in the following releases: [[logstash-8-8-0]] === Logstash 8.8.0 Release Notes +[[known-issues-8.8.0]] +==== Known issues + +Due to a recent change in the `logstash-output-elasticserach` plugin, +this and any other version of Logstash using the Elasticsearch output plugin version `>= 11.14.0` and `< 11.15.8`, +may fail to start due to a monitoring and central management SSL/TLS settings regression. +When impacted by this issue, Logstash fails to start and log an error similar to the following: +``` +[logstash.licensechecker.licensereader] Failed to perform request {:message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>Manticore::ClientProtocolException, :cause=>#} +``` + +**Resolution** + +A successful Elasticsearch output plugin update to version `11.15.8` or higher will +resolve this issue: + +``` +bin/logstash-plugin update logstash-output-elasticsearch +``` + +OR + +Specify the `ca_trusted_fingerprint` setting in the `logstash.yml`. +The certificate fingerprint can be extract with: + +``` +cat your_ca.cert | openssl x509 -outform der | sha256sum | awk '{print $1}' +``` + +Then set the following on `logstash.yml` using the output from the previous command: + +``` +xpack.monitoring.elasticsearch.ssl.ca_trusted_fingerprint: "" +xpack.management.elasticsearch.ssl.ca_trusted_fingerprint: "" +``` + [[notable-8.8.0]] ==== Notable issues fixed From a077b4efe7a6d7343fa5e2295e3fd6ece9ed0464 Mon Sep 17 00:00:00 2001 From: Edmo Vamerlatti Costa <11836452+edmocosta@users.noreply.github.com> Date: Thu, 15 Jun 2023 15:58:59 +0200 Subject: [PATCH 2/2] Apply PR suggestion --- docs/static/releasenotes.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/static/releasenotes.asciidoc b/docs/static/releasenotes.asciidoc index 443d5ffe3fb..9d603405a63 100644 --- a/docs/static/releasenotes.asciidoc +++ b/docs/static/releasenotes.asciidoc @@ -123,10 +123,10 @@ This section summarizes the changes in the following releases: [[known-issues-8.8.0]] ==== Known issues -Due to a recent change in the `logstash-output-elasticserach` plugin, -this and any other version of Logstash using the Elasticsearch output plugin version `>= 11.14.0` and `< 11.15.8`, -may fail to start due to a monitoring and central management SSL/TLS settings regression. -When impacted by this issue, Logstash fails to start and log an error similar to the following: +Logstash 8.8.0 may fail to start when SSL/TLS is enabled +in monitoring and/or central management, due to a change introduced in version 11.14.0 of the https://github.com/logstash-plugins/logstash-output-elasticsearch[logstash-output-elasticsearch] plugin. +When impacted by this issue, Logstash fails to start and logs an error similar to the following: + ``` [logstash.licensechecker.licensereader] Failed to perform request {:message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>Manticore::ClientProtocolException, :cause=>#} ```