Add more information about ssl_certificate_path for RabbitMQ output #31
Description
(Somewhat related to logstash-plugins/logstash-output-rabbitmq#39)
The output plugin only supports passing in a .p12 for both trusts + any client cert/key pair. It'd be helpful to expand the docs by:
- Mentioning that the
.p12can contain a client cert/key pair. - How to create a
.p12that's usable by the plugin.
Bullet two might seem a bit too out of scope, but I've encountered problems across different versions of Logstash. For example, the following worked great back with Logstash 5.4.0:
openssl pkcs12 -export -in chain.pem -inkey logstash.key -out openssl-only.p12
(where chain.pem is a concatenated file containing Logstash's public cert + the signing authority of RabbitMQ's cert).
But using the same method with Logstash 7.6.1 results in the following error:
RabbitMQ connection error, will retry. {:error_message=>"sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>"Java::JavaxNetSsl::SSLHandshakeException"}
In order to build a working .p12 on Logstash 7.6.1 (using existing PEM encoded certs/keys), I had to use both openssl + Java's keytool:
openssl pkcs12 -export -out logstash.p12 -inkey logstash.key -in logstash.crt
keytool -import -file ca.crt -alias ca_cert -keystore logstash.p12