Alias xxxxx does not contain a certificate entry on SG-SSL

hi,

I am trying to use SG-SSL on ES 5.5.1 on windows 2008 R2. I am using it only transport layer security. However, when ES starts I see an error saying “Alias xxxxx does not contain a certificate entry”. I am able to successfully import the certificate on the server and see it under “Trusted Root Certification Authorities/Certificates”. Under intended purposes, I can see Client Authentication, Server Authentication. I can see all the machine names listed as DNS Name under Sub Alternative Name. What else is that I need to check on this certificate to ensure that SG-SSL can recognize it as valid certificate?

Thanks

askids

A small correction. On Windows 2008 R2, I get this error on 5.6.3. On 5.5.1, the same certificate works fine.

On Windows 2012, I get this error for 5.5.1 also. I am using 5.5.1-23 version of SG.

···

On Sunday, October 29, 2017 at 7:08:09 PM UTC-4, askids wrote:

hi,

I am trying to use SG-SSL on ES 5.5.1 on windows 2008 R2. I am using it only transport layer security. However, when ES starts I see an error saying “Alias xxxxx does not contain a certificate entry”. I am able to successfully import the certificate on the server and see it under “Trusted Root Certification Authorities/Certificates”. Under intended purposes, I can see Client Authentication, Server Authentication. I can see all the machine names listed as DNS Name under Sub Alternative Name. What else is that I need to check on this certificate to ensure that SG-SSL can recognize it as valid certificate?

Thanks

askids

  • Where do you have your certificate, in PEM format or placed in a keystore?

  • Does your keystore contain multiple certificates?

  • Does your keystore contain aliases?

  • Have you configured any aliases in the SG section of elasticsearch.yml?

Also, please post your elasticsearch.yml here.

···

On Monday, October 30, 2017 at 12:39:41 AM UTC+1, askids wrote:

A small correction. On Windows 2008 R2, I get this error on 5.6.3. On 5.5.1, the same certificate works fine.

On Windows 2012, I get this error for 5.5.1 also. I am using 5.5.1-23 version of SG.

On Sunday, October 29, 2017 at 7:08:09 PM UTC-4, askids wrote:

hi,

I am trying to use SG-SSL on ES 5.5.1 on windows 2008 R2. I am using it only transport layer security. However, when ES starts I see an error saying “Alias xxxxx does not contain a certificate entry”. I am able to successfully import the certificate on the server and see it under “Trusted Root Certification Authorities/Certificates”. Under intended purposes, I can see Client Authentication, Server Authentication. I can see all the machine names listed as DNS Name under Sub Alternative Name. What else is that I need to check on this certificate to ensure that SG-SSL can recognize it as valid certificate?

Thanks

askids

hi Jochen,

Please find the requested info below.

  • Where do you have your certificate, in PEM format or placed in a keystore? In keystore

  • Does your keystore contain multiple certificates? yes

  • Does your keystore contain aliases? yes

  • Have you configured any aliases in the SG section of elasticsearch.yml? I have tried it with and without alias as well. In couple of lanes, we have similar setup where in keystore contains multiple certificates. Whenever, the 1st certificate in the keystore is the correct one and we dont provide alias, SG-SSL is able to use that certificate for securing the transport layer. But in one lane, the actual certificate in the keystore is the 3rd certificate (based on list output using keytool). So on this specific server, we tried giving the alias that points to the 3rd certificate and that is when we get the error “Alias xxxxx does not contain a certificate entry”.

Thanks!

···

On Wednesday, November 1, 2017 at 3:06:03 PM UTC-4, Jochen Kressin wrote:

  • Where do you have your certificate, in PEM format or placed in a keystore?
  • Does your keystore contain multiple certificates?
  • Does your keystore contain aliases?
  • Have you configured any aliases in the SG section of elasticsearch.yml?

Also, please post your elasticsearch.yml here.

On Monday, October 30, 2017 at 12:39:41 AM UTC+1, askids wrote:

A small correction. On Windows 2008 R2, I get this error on 5.6.3. On 5.5.1, the same certificate works fine.

On Windows 2012, I get this error for 5.5.1 also. I am using 5.5.1-23 version of SG.

On Sunday, October 29, 2017 at 7:08:09 PM UTC-4, askids wrote:

hi,

I am trying to use SG-SSL on ES 5.5.1 on windows 2008 R2. I am using it only transport layer security. However, when ES starts I see an error saying “Alias xxxxx does not contain a certificate entry”. I am able to successfully import the certificate on the server and see it under “Trusted Root Certification Authorities/Certificates”. Under intended purposes, I can see Client Authentication, Server Authentication. I can see all the machine names listed as DNS Name under Sub Alternative Name. What else is that I need to check on this certificate to ensure that SG-SSL can recognize it as valid certificate?

Thanks

askids

So you should check all entries in the keystore and make sure that you have configured the alias name correctly. You can read more about this in the troubleshooting section in the docs:

http://floragunncom.github.io/search-guard-docs/tls_troubleshooting.html

Use keytool or the KeyStore Explorer to view the exact contents of the keystore, including alias names. For example, keytool outputs something like:

Alias name: node-0

Make sure that you configured this alias name in elasticsearch.yml like:

searchguard.ssl.transport.keystore_alias: node-0

···

On Wednesday, November 8, 2017 at 3:41:23 AM UTC+1, askids wrote:

hi Jochen,

Please find the requested info below.

  • Where do you have your certificate, in PEM format or placed in a keystore? In keystore
  • Does your keystore contain multiple certificates? yes
  • Does your keystore contain aliases? yes
  • Have you configured any aliases in the SG section of elasticsearch.yml? I have tried it with and without alias as well. In couple of lanes, we have similar setup where in keystore contains multiple certificates. Whenever, the 1st certificate in the keystore is the correct one and we dont provide alias, SG-SSL is able to use that certificate for securing the transport layer. But in one lane, the actual certificate in the keystore is the 3rd certificate (based on list output using keytool). So on this specific server, we tried giving the alias that points to the 3rd certificate and that is when we get the error “Alias xxxxx does not contain a certificate entry”.

Thanks!

On Wednesday, November 1, 2017 at 3:06:03 PM UTC-4, Jochen Kressin wrote:

  • Where do you have your certificate, in PEM format or placed in a keystore?
  • Does your keystore contain multiple certificates?
  • Does your keystore contain aliases?
  • Have you configured any aliases in the SG section of elasticsearch.yml?

Also, please post your elasticsearch.yml here.

On Monday, October 30, 2017 at 12:39:41 AM UTC+1, askids wrote:

A small correction. On Windows 2008 R2, I get this error on 5.6.3. On 5.5.1, the same certificate works fine.

On Windows 2012, I get this error for 5.5.1 also. I am using 5.5.1-23 version of SG.

On Sunday, October 29, 2017 at 7:08:09 PM UTC-4, askids wrote:

hi,

I am trying to use SG-SSL on ES 5.5.1 on windows 2008 R2. I am using it only transport layer security. However, when ES starts I see an error saying “Alias xxxxx does not contain a certificate entry”. I am able to successfully import the certificate on the server and see it under “Trusted Root Certification Authorities/Certificates”. Under intended purposes, I can see Client Authentication, Server Authentication. I can see all the machine names listed as DNS Name under Sub Alternative Name. What else is that I need to check on this certificate to ensure that SG-SSL can recognize it as valid certificate?

Thanks

askids