When asking questions, please provide the following information:
Search Guard and Elasticsearch version
Used enterprise modules, if any
JVM version and operating system version
Search Guard configuration files
Elasticsearch log messages on debug level
Four little questions that bother me.
- Does the
the exact subject line for the admin cert or only the parts I defined?
For example, if I define this in my config file:
Will I be able to run sgadmin with a cert whose
Subject: line is
CN=admin,O=Corp,L=Somewhere,C=FR, or it must exactly match what I’ve written
inside my config file?
- When using PEMs files, does the
pemcert_filepathmust contain the full
certificate chain or just the node cert? Same thing when using sgadmin and the
- What should exactly contain the
pemtrustedcas_filepathfile? To me, it
appears that it should be the CA chain certs (intermediate cert followed by
root cert, for instance). Am I right?
- Currently, I’m getting:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
error when a peer node or sgadmin tries to connect to an ES node, and the
[2017-10-05T10:13:41,963][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [es-5] SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
Could such an error be caused by misconfigured certificates (not matching
searchguard.nodes_dn for instance) or that the certificates themselves
are malformed (which goes way beyond the scope of this question, which is why I
don’t provide that much details)?