When asking questions, please provide the following information:
-
Search Guard and Elasticsearch version
-
Used enterprise modules, if any
-
JVM version and operating system version
-
Search Guard configuration files
-
Elasticsearch log messages on debug level
Hello,
Four little questions that bother me.
- Does the
searchguard.authcz.admin_dn
key inelasticsearch.yml
awaits
the exact subject line for the admin cert or only the parts I defined?
For example, if I define this in my config file:
searchguard.authcz.admin_dn:
- CN=admin,C=FR
``
Will I be able to run sgadmin with a cert whose Subject:
line is
CN=admin,O=Corp,L=Somewhere,C=FR
, or it must exactly match what I’ve written
inside my config file?
- When using PEMs files, does the
pemcert_filepath
must contain the full
certificate chain or just the node cert? Same thing when using sgadmin and the
admin cert?
- What should exactly contain the
pemtrustedcas_filepath
file? To me, it
appears that it should be the CA chain certs (intermediate cert followed by
root cert, for instance). Am I right?
- Currently, I’m getting:
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
``
error when a peer node or sgadmin tries to connect to an ES node, and the
latter gets:
[2017-10-05T10:13:41,963][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [es-5] SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
…
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
…
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
…
``
Could such an error be caused by misconfigured certificates (not matching
searchguard.nodes_dn
for instance) or that the certificates themselves
are malformed (which goes way beyond the scope of this question, which is why I
don’t provide that much details)?