Convert keystore for newer Logstash versions (NETWAYS#78)

* Convert Java keystore

fixes NETWAYS#69

Author: widhalmt

handlers/main.yml

@@ -11,3 +11,21 @@
     name: logstash
     state: restarted
   when: not logstash_config_autoreload and logstash_enable | bool
+
+- name: Reconvert keystore
+  shell: >
+    openssl pkcs12
+    -in "/etc/logstash/certs/cert.p12"
+    -password pass:""
+    -nodes |
+    openssl pkcs12
+    -export
+    -password pass:""
+    -out "/etc/logstash/certs/keystore.pfx"
+
+- name: Reset permissions on keystore
+  file:
+    path: /etc/logstash/certs/keystore.pfx
+    owner: root
+    group: logstash
+    mode: 0660

tasks/logstash-security.yml

@@ -51,10 +51,32 @@
     group: logstash
     mode: 0640
   notify:
+    - Reconvert keystore
+    - Reset permissions on keystore
     - Restart Logstash
   tags:
     - certificates
 
+- name: Convert keystore
+  shell: >
+    openssl pkcs12
+    -in "/etc/logstash/certs/cert.p12"
+    -password pass:""
+    -nodes |
+    openssl pkcs12
+    -export
+    -password pass:""
+    -out "/etc/logstash/certs/keystore.pfx"
+  args:
+    creates: "/etc/logstash/certs/keystore.pfx"
+
+- name: Set permissions on keystore
+  file:
+    path: /etc/logstash/certs/keystore.pfx
+    owner: root
+    group: logstash
+    mode: 0660
+
 - name: Fetch ca certificate from ca host to master
   fetch:
     src: "{{ elastic_ca_dir }}/ca.crt"

templates/elasticsearch-output.conf.j2

@@ -2,7 +2,7 @@ output {
   elasticsearch {
     hosts => [ {% for host in logstash_elasticsearch %}"{{ host }}:9200"{% if not loop.last %},{% endif %}{% endfor %}]
 {% if elastic_stack_full_stack | bool and logstash_security | bool and elastic_variant == "elastic" %}
-    keystore => "/etc/logstash/certs/cert.p12"
+    keystore => "/etc/logstash/certs/keystore.pfx"
     keystore_password => ""
     cacert => "/etc/logstash/certs/ca.crt"
     ssl => true