From eca2d26ed1436e838999628acf900723b61604f3 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Tue, 7 Feb 2023 15:27:25 +0100
Subject: [PATCH 1/2] Fix the Certificate key pkcs8 reading by Logstash

---
 roles/logstash/tasks/logstash-security.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
index d2482605..fe957ab3 100644
--- a/roles/logstash/tasks/logstash-security.yml
+++ b/roles/logstash/tasks/logstash-security.yml
@@ -130,6 +130,9 @@
     openssl pkcs8
     -in {{ logstash_certs_dir }}/{{ inventory_hostname }}.key
     -topk8
+    -v1 PBE-MD5-DES
+    -inform PEM
+    -outform PEM
     -passin pass:{{ logstash_tls_key_passphrase }}
     -out {{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key
     -passout pass:{{ logstash_tls_key_passphrase }}

From 6b3d433ad8dc6a8b6fe81682b7376fbb90f90192 Mon Sep 17 00:00:00 2001
From: Afeef Ghannam <afeef.ghannam@netways.de>
Date: Thu, 9 Feb 2023 09:55:04 +0100
Subject: [PATCH 2/2] * Remove encryption of logstash key, because it is not
 reliable

---
 docs/role-logstash.md                        |  1 -
 roles/logstash/defaults/main.yml             |  1 -
 roles/logstash/tasks/logstash-security.yml   | 16 ----------------
 roles/logstash/templates/beats-input.conf.j2 |  3 ---
 4 files changed, 21 deletions(-)

diff --git a/docs/role-logstash.md b/docs/role-logstash.md
index 6275cbb2..9af3cbed 100644
--- a/docs/role-logstash.md
+++ b/docs/role-logstash.md
@@ -55,7 +55,6 @@ Aside from `logstash.yml` we can manage Logstashs pipelines.
 * *logstash_beats_input*: Enable default pipeline with `beats` input (default: `true`)
 * *logstash_beats_input_congestion*: Optional congestion threshold for the beats input pipeline
 * *logstash_beats_tls*: Activate TLS for the beats input pipeline (default: none but `true` with full stack setup if not set)
-* *logstash_beats_tls_encryptkey*: Enable encryption of key for beats input - disabling used as a workaround on certain hosts (default: true)
 * *logstash_tls_key_passphrase*: Passphrase for Logstash certificates (default: `ChangeMe`)
 * *logstash_elasticsearch*: Address of Elasticsearch instance for default output (default: list of Elasticsearch nodes from `elasticsearch` role or `localhost` when used standalone)
 * *logstash_security*: Enable X-Security (No default set, but will be activated when in full stack mode)
diff --git a/roles/logstash/defaults/main.yml b/roles/logstash/defaults/main.yml
index 0b0308ac..fd2609e0 100644
--- a/roles/logstash/defaults/main.yml
+++ b/roles/logstash/defaults/main.yml
@@ -35,7 +35,6 @@ logstash_pipelines:
 #     source: https://github.com/widhalmt/shipper-logstash-pipeline.git
 logstash_elasticsearch_output: true
 logstash_beats_input: true
-logstash_beats_tls_encryptkey: true
 
 # logstash security
 logstash_user: logstash_writer
diff --git a/roles/logstash/tasks/logstash-security.yml b/roles/logstash/tasks/logstash-security.yml
index fe957ab3..4d62f56f 100644
--- a/roles/logstash/tasks/logstash-security.yml
+++ b/roles/logstash/tasks/logstash-security.yml
@@ -125,21 +125,6 @@
   tags:
     - certificates
 
-- name: Create Logstash compatible key
-  command: >
-    openssl pkcs8
-    -in {{ logstash_certs_dir }}/{{ inventory_hostname }}.key
-    -topk8
-    -v1 PBE-MD5-DES
-    -inform PEM
-    -outform PEM
-    -passin pass:{{ logstash_tls_key_passphrase }}
-    -out {{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key
-    -passout pass:{{ logstash_tls_key_passphrase }}
-  args:
-    creates: "{{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key"
-  when: logstash_beats_tls_encryptkey | bool
-
 - name: Create unencrypted Logstash compatible key
   command: >
     openssl pkcs8
@@ -150,7 +135,6 @@
     -nocrypt
   args:
     creates: "{{ logstash_certs_dir }}/{{ inventory_hostname }}-pkcs8.key"
-  when: not logstash_beats_tls_encryptkey | bool
 
 - name: Set permissions on Logstash key
   file:
diff --git a/roles/logstash/templates/beats-input.conf.j2 b/roles/logstash/templates/beats-input.conf.j2
index 9ac26da7..d3b9c134 100644
--- a/roles/logstash/templates/beats-input.conf.j2
+++ b/roles/logstash/templates/beats-input.conf.j2
@@ -8,9 +8,6 @@ input {
     ssl_verify_mode => force_peer
     ssl_certificate_authorities => ["{{ logstash_certs_dir }}/ca.crt"]
     ssl_peer_metadata => false
-{% if logstash_beats_tls_encryptkey | bool %}
-    ssl_key_passphrase => "{{ logstash_tls_key_passphrase }}"
-{% endif %}
 {% endif %}
 
   }