Add Search Guard to existing elasticsearch docker-compose project

Hi there,

I Setup an docker-compose Project for an ELK stack. It is running since some weeks really nice.

While thinking about security/autentication I added X-Pack, not seen that it is not free.

So my license ended and I wanted to Switch to Search Guard.

While Setup was OK so far (own Docker Image, starting, …) I now get “Search Guard not initialized (SG11). See https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md”-Message.

I read the MD file and run that command.

root@host:/srv/elk# docker-compose exec elasticsearch plugins/search-guard-5/tools/sgadmin.sh -icl -ts config/truststore.jks -tspass xyz -tsalias myalias -ks config/keystore.jks -kspass xyz -ksalias myalias -cd …plugins/search-guard-5/sgconfig -nhnv
Search Guard Admin v5
Will connect to localhost:9300 … done
Contacting elasticsearch cluster ‘elasticsearch’ and wait for YELLOW clusterstate …
Cannot retrieve cluster state due to: None of the configured nodes are available: [{#transport#-1}{yd-qpPx9SSOpw81ZMcSTuA}{localhost}{127.0.0.1:9300}]. This is not an error, will keep on trying …

  • Try running sgadmin.sh with -icl and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
  • If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
    12:37:49.500 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_131]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
    at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:222) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1119) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1041) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[netty-codec-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:624) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:559) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:476) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:438) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.9.Final.jar:4.1.9.Final]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    … 17 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_131]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    … 17 more
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_131]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_131]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:1.8.0_131]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_131]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_131]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
    … 17 more

``

Any idea what I do wrong or an link how to add Search Guard to an existing ELK Stack in docker-compose?

Thanks for any reply

this error is not docker related. Looks like your certificates are not correct.
Try this: https://floragunn.com/tls-certificate-generator/

You may also looks here https://github.com/deviantony/docker-elk or https://github.com/Khezen/docker-elasticsearch for some inspiration

···

Am 05.07.2017 um 14:49 schrieb Oliver Lippert <lippertsweb@gmail.com>:

Hi there,
I Setup an docker-compose Project for an ELK stack. It is running since some weeks really nice.

While thinking about security/autentication I added X-Pack, not seen that it is not free.
So my license ended and I wanted to Switch to Search Guard.

While Setup was OK so far (own Docker Image, starting, ...) I now get “Search Guard not initialized (SG11). See https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md”-Message.
I read the MD file and run that command.

root@host:/srv/elk# docker-compose exec elasticsearch plugins/search-guard-5/tools/sgadmin.sh -icl -ts config/truststore.jks -tspass xyz -tsalias myalias -ks config/keystore.jks -kspass xyz -ksalias myalias -cd ..plugins/search-guard-5/sgconfig -nhnv
Search Guard Admin v5
Will connect to localhost:9300 ... done
Contacting elasticsearch cluster 'elasticsearch' and wait for YELLOW clusterstate ...
Cannot retrieve cluster state due to: None of the configured nodes are available: [{#transport#-1}{yd-qpPx9SSOpw81ZMcSTuA}{localhost}{127.0.0.1:9300}]. This is not an error, will keep on trying ...
   * Try running sgadmin.sh with -icl and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
   * If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
12:37:49.500 [elasticsearch[_client_][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:1.8.0_131]
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_131]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_131]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_131]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
        at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:222) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1119) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1041) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[netty-codec-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:624) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:559) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:476) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:438) [netty-transport-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.9.Final.jar:4.1.9.Final]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_131]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_131]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        ... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:1.8.0_131]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_131]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_131]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_131]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        ... 17 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_131]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_131]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_131]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:1.8.0_131]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_131]
        at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_131]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_131]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_131]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_131]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:1.8.0_131]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_131]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_131]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1268) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1176) ~[netty-handler-4.1.9.Final.jar:4.1.9.Final]
        ... 17 more

Any idea what I do wrong or an link how to add Search Guard to an existing ELK Stack in docker-compose?

Thanks for any reply

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/5cd5ddab-3345-4d96-9d14-5b8eda0e4087%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.