authcz and certificate_unknown

Search Guard
1

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

Hello,

Four little questions that bother me.

  1. Does the searchguard.authcz.admin_dn key in elasticsearch.yml awaits

the exact subject line for the admin cert or only the parts I defined?

For example, if I define this in my config file:

searchguard.authcz.admin_dn:

  • CN=admin,C=FR

``

Will I be able to run sgadmin with a cert whose Subject: line is

CN=admin,O=Corp,L=Somewhere,C=FR, or it must exactly match what I’ve written

inside my config file?

  1. When using PEMs files, does the pemcert_filepath must contain the full

certificate chain or just the node cert? Same thing when using sgadmin and the

admin cert?

  1. What should exactly contain the pemtrustedcas_filepath file? To me, it

appears that it should be the CA chain certs (intermediate cert followed by

root cert, for instance). Am I right?

  1. Currently, I’m getting:

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

``

error when a peer node or sgadmin tries to connect to an ES node, and the

latter gets:

[2017-10-05T10:13:41,963][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [es-5] SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

``

Could such an error be caused by misconfigured certificates (not matching

searchguard.nodes_dn for instance) or that the certificates themselves

are malformed (which goes way beyond the scope of this question, which is why I

don’t provide that much details)?

2
  1. Does the searchguard.authcz.admin_dn key in elasticsearch.yml awaits

the exact subject line for the admin cert or only the parts I defined?

For security reasons, it expects the exact DN. Wilcards or regular expressions are not supported for specifying admin DNs. So, if your DN is “CN=admin,O=Corp,L=Somewhere,C=FR”, then specifying “CN=admin,C=FR” only will not work.

  1. When using PEMs files, does the pemcert_filepath must contain the full

certificate chain or just the node cert? Same thing when using sgadmin and the

admin cert?

  1. What should exactly contain the pemtrustedcas_filepath file? To me, it

appears that it should be the CA chain certs (intermediate cert followed by

root cert, for instance). Am I right?

Think of it like a regular webserver / browser setup. The server (in this case SG/ES) needs the leaf/node certificate and all intermediate certificates. The browser only needs the Root CA. So, the pemcert_filepath contains the node certificate and the intermediate ones, while the pemtrustedcas_filepath contains the Root CA. The pemkey_filepath and pemkey_password contains the path and password to the private key of your node certificate.

  1. Extended key usage does not permit use for TLS client authentication

This usually means that your node certificate does not contain the correct entries for the Extended Key Usage (EKU). A node certificate has to have clientAuth and serverAuth set. The reason is that a node acts as a server (when another node is querying it), and also as a client (when the node itself queries another node).

For troubleshooting TLS, you can also check this chapter of the docs:

···

On Thursday, October 5, 2017 at 12:42:24 PM UTC+2, PL D wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level

Hello,

Four little questions that bother me.

  1. Does the searchguard.authcz.admin_dn key in elasticsearch.yml awaits

the exact subject line for the admin cert or only the parts I defined?

For example, if I define this in my config file:

searchguard.authcz.admin_dn:

  • CN=admin,C=FR

``

Will I be able to run sgadmin with a cert whose Subject: line is

CN=admin,O=Corp,L=Somewhere,C=FR, or it must exactly match what I’ve written

inside my config file?

  1. When using PEMs files, does the pemcert_filepath must contain the full

certificate chain or just the node cert? Same thing when using sgadmin and the

admin cert?

  1. What should exactly contain the pemtrustedcas_filepath file? To me, it

appears that it should be the CA chain certs (intermediate cert followed by

root cert, for instance). Am I right?

  1. Currently, I’m getting:

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

``

error when a peer node or sgadmin tries to connect to an ES node, and the

latter gets:

[2017-10-05T10:13:41,963][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [es-5] SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

``

Could such an error be caused by misconfigured certificates (not matching

searchguard.nodes_dn for instance) or that the certificates themselves

are malformed (which goes way beyond the scope of this question, which is why I

don’t provide that much details)?