OpenSSL::X509::StoreError: setting default path failed: Detect premature EOF

[panuhorsmalahti]

I'm getting the following error when trying to run the logstash container on RHEL 7.1:

OpenSSL::X509::StoreError: setting default path failed: Detect premature EOF
  set_default_paths at org/jruby/ext/openssl/X509Store.java:185
             (root) at /usr/share/logstash/vendor/jruby/lib/ruby/shared/jopenssl/load.rb:26
            require at org/jruby/RubyKernel.java:1040
             (root) at /usr/share/logstash/vendor/jruby/lib/ruby/shared/openssl.rb:1
            require at org/jruby/RubyKernel.java:1040
             (root) at /usr/share/logstash/vendor/jruby/lib/ruby/shared/openssl.rb:1
            require at org/jruby/RubyKernel.java:1040
             (root) at /usr/share/logstash/logstash-core/lib/logstash/patches/stronger_openssl_defaults.rb:1
            require at org/jruby/RubyKernel.java:1040
             (root) at /usr/share/logstash/logstash-core/lib/logstash/patches/stronger_openssl_defaults.rb:2
            require at org/jruby/RubyKernel.java:1040
             (root) at /usr/share/logstash/logstash-core/lib/logstash/patches.rb:1
            require at org/jruby/RubyKernel.java:1040
             (root) at /usr/share/logstash/lib/bootstrap/environment.rb:67

Image created with the same Dockerfile works on Mac OS X developer machines.

[root@phorsma]# docker --version
Docker version 1.8.2-el7, build a01dc02/1.8.2
[root@phorsma]# uname -r
3.10.0-229.14.1.el7.x86_64
[root@phorsma]# 

My Dockerfile:

FROM logstash:5

MAINTAINER  Panu Horsmalahti <[email protected]>

# Copy Oracle JDBC Driver
COPY lib/ojdbc6.jar /opt/ojdbc6.jar

COPY logstash.conf /config-dir/

CMD ["-f", "/config-dir/logstash.conf"]

I'm using Kontena to deploy the container (shouldn't matter I think).

Running inside container:

root@88e758eedb19:/usr/share/logstash# apt-get install ruby
root@88e758eedb19:/usr/share/logstash# ruby -v -ropenssl -rfiddle -e 'puts Fiddle::Function.new(Fiddle.dlopen(nil)["SSLeay_version"], [Fiddle::TYPE_INT], Fiddle::TYPE_VOIDP).call(0)'
ruby 2.1.5p273 (2014-11-13) [x86_64-linux-gnu]
OpenSSL 1.0.1t  3 May 2016

I get the same error from logstash:2.1.3-1. The same server works with logstash:1.5.5.

A wild guess is that the error is related to elastic/logstash#3955

[panuhorsmalahti]

I can replicate the issue like this:

docker run -ti logstash:5 /bin/bash
root@3639bf9d2fd3:/# logstash

If I delete java folder froms certs:

root@3639bf9d2fd3:/# rm -rf /etc/ssl/certs/java

I can now run logstash fine inside the container.

Docker pull reports that logstash:5 is up to date:

Status: Image is up to date for docker.io/logstash:5

[panuhorsmalahti]

My workaround is as follows:

Create start.sh:

#!/bin/bash
rm -rf /etc/ssl/certs/java
logstash -f /config-dir/logstash.conf

And then in Dockerfile:

COPY start.sh /start.sh
CMD /start.sh

An alternative is simply having this in Dockerfile:

RUN rm -rf /etc/ssl/certs/java

[tianon]

Any idea what's causing the failure? The image itself should be isolated from the host environment pretty well by Docker.

Can you run docker inspect on a container which reproduces the problem and paste the output here?

[tianon]

This image is officially deprecated in favor of upstream's images (see https://www.elastic.co/guide/en/logstash/current/docker.html).

For more information, please see docker-library/elasticsearch#160, docker-library/docs#842, and docker-library/docs#945.

This image has been deprecated in favor of the official logstash image provided and maintained by elastic.co. The upstream images are available to pull via docker.elastic.co/logstash/logstash:[version] like 5.4.2. The images found here will receive no further updates once the 5.6.0 release is available upstream. Please adjust your usage accordingly.

Elastic provides open-source support for Logstash via the elastic/logstash GitHub repository and the Docker image via the elastic/logstash-docker GitHub repository, as well as community support via its forums.

Thanks!