[c.f.s.a.r.AuthenticatingRestFilter] [node1] Not yet initialized (you may need to run sgctl)

Search Guard
1

ElasticSearch Version: elasticsearch-8.6.2-1.x86_64
Logstash Version: logstash-oss-8.6.2-1.x86_64
Kibana Version: kibana-8.6.2-1.x86_64
Searchguard Version:

  • search-guard-flx-elasticsearch-plugin-1.1.1-es-8.6.2.zip
  • search-guard-flx-kibana-plugin-1.1.0-es-8.6.2.zip

OS: Red Hat Enterprise Linux release 8.4 (Ootpa)

Issue:
I’m trying to install searchguard from the steps listed here

In the “Initializing Searchguard” steps, I go to the Using sgctl | Security for Elasticsearch | Search Guard and then click “Basic Usage”

I’m currently on the “Connection Settings” step and trying to run the connect
sh sgctl-1.1.0.sh connect elasticsearch.myhost.com --cert /etc/kibana/server.crt --key /etc/kibana/server.key --ca-cert /etc/kibana/root.crt --insecure -c node1 --debug

Search Guard not initialized (SG11). See Basic Usage | Security for Elasticsearch | Search Guard
Server is unavailable: Service Unavailable
com.floragunn.searchguard.sgctl.SgctlException: Server is unavailable: Service Unavailable
at com.floragunn.searchguard.sgctl.commands.ConnectingCommand.getClient(ConnectingCommand.java:131)
at com.floragunn.searchguard.sgctl.commands.Connect.call(Connect.java:37)
at com.floragunn.searchguard.sgctl.commands.Connect.call(Connect.java:29)
at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at com.floragunn.searchguard.sgctl.SgctlTool.exec(SgctlTool.java:63)
at com.floragunn.searchguard.sgctl.SgctlTool.main(SgctlTool.java:58)
Caused by: com.floragunn.searchguard.sgctl.client.ServiceUnavailableException: Service Unavailable
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient$Response.checkStatus(SearchGuardRestClient.java:421)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient$Response.parseResponseBy(SearchGuardRestClient.java:396)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient.authInfo(SearchGuardRestClient.java:84)
at com.floragunn.searchguard.sgctl.commands.ConnectingCommand.getClient(ConnectingCommand.java:119)

The steps say at this point I should be connected to the service, but I keep getting the above error message.

The elasticsearch-cluster.log prints out the message
[ERROR][c.f.s.a.r.AuthenticatingRestFilter] [node1] Not yet initialized (you may need to run sgctl)

elasticsearch.yml (with the hostname changed and the comments removed)
cluster.name: elastic-cluster
node.name: node1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: elasticsearch.myhost.com
http.port: 9200

xpack.security.enabled: false
ingest.geoip.downloader.enabled: false
discovery.type: single-node
search.max_buckets: 20000000

searchguard.disabled: false

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.pemkey_filepath: server.key
searchguard.ssl.transport.pemcert_filepath: server.crt
searchguard.ssl.transport.pemtrustedcas_filepath: root.crt
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: server.key
searchguard.ssl.http.pemcert_filepath: server.crt
searchguard.ssl.http.pemtrustedcas_filepath: root.crt

searchguard.authcz.admin_dn:

  • “CN=*.myhost.com,OU=Domain Control Validated”
    searchguard.nodes_dn:
  • “CN=*.myhost.com”
    searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]

Does anyone know what I missed when trying to initialize SearchGuard?
Thanks for your help

2

Hello!

/etc/kibana/server.crt sounds a bit weird for two reasons:

  • The path mentions kibana. However, we are connecting here to the underlying Elasticsearch
  • You need to use a so-called admin client certificate. This is not just any client certificate, but it must be specially recognized. One way of doing so is to configure the DNs of all admin certificates in elasticsearch.yml. You also posted this snippet:
searchguard.authcz.admin_dn:
 - “CN=*.myhost.com,OU=Domain Control Validated”

Note that this is not a valid configuration, as the admin_dn setting does not allow wildcards. See the docs here:

3

Thanks for your help!

The /etc/kibana and /etc/elasticsearch are duplicates of each other so I was using the same one.

I’ll try finding a different cert though that doesn’t use the wildcard for the admin. I’ll let you know how it goes.

Out of curiosity though, did SearchGuard 7 (with ELK7) used to use wildcard admin certs? I used to have an ELK7 system that had the above settings for admin_dn and it seemed to work.

4

I tried to use the demo certificates from the zip in this link

and put them into /etc/elasticsearch/config folder. Then I changed my elasticsearch.yml to this

cluster.name: elastic-cluster

node.name: node1

path.data: /data/elasticsearch

path.logs: /var/log/elasticsearch

network.host: localhost

http.port: 9200

xpack.security.enabled: false
ingest.geoip.downloader.enabled: false
discovery.type: single-node
search.max_buckets: 20000000

searchguard.disabled: false

searchguard.enterprise_modules_enabled: false

searchguard.ssl.transport.pemkey_filepath: config/esnode.pem
searchguard.ssl.transport.pemcert_filepath: config/esnode-key.pem
searchguard.ssl.transport.pemtrustedcas_filepath: config/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: config/esnode.pem
searchguard.ssl.http.pemcert_filepath: config/esnode-key.pem
searchguard.ssl.http.pemtrustedcas_filepath: config/root-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true

searchguard.authcz.admin_dn:

  • “CN=kirk,OU=client,O=client,L=test,C=de”
    searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]

However, now elasticsearch is showing an error that says
Caused by: java.security.cert.CertificateParsingException: signed fields invalid
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) ~[?:?]
at sun.security.x509.X509CertImpl.(X509CertImpl.java:183) ~[?:?]
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:481) ~[?:?]
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:366) ~[?:?]
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478) ~[?:?]
at com.floragunn.searchguard.support.PemKeyReader.loadCertificatesFromFile(PemKeyReader.java:196) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initTransportSSLConfig(DefaultSearchGuardKeyStore.java:340) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:222) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:143) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:219) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:256) ~[?:?]
at jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:67) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:484) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:609) ~[elasticsearch-8.6.2.jar:?]
… 9 more

I made sure the certs were owned by elasticsearch.elasticsearch user and ran dos2unix just in case.

Am I doing something wrong with the demo certs?

Another question I have is that after I resolve the cert issue what sgctl command can I run to initialize everything?

The demo link says to run

./sgctl.sh update-config ...

but the previous links were saying to run

./sgctl.sh connect ...
5

Can you give a bit more log context for the exceptions? Is a file or configuration key managed?

Initially, you have to execute sgctl connect once in order to create its connection profile. Afterwards, you can use the other commands.

6

The full stacktrace is when using the demo certificates is the following. I get this stacktrace when starting up the elasticsearch service.

[2023-04-20T09:05:15,191][INFO ][o.e.n.Node ] [node1] JVM home [/usr/share/elasticsearch/jdk], using bundled JDK [true]
[2023-04-20T09:05:15,192][INFO ][o.e.n.Node ] [node1] JVM arguments [-Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -Djava.security.manager=allow, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Dlog4j2.formatMsgNoLookups=true, -Djava.locale.providers=SPI,COMPAT, --add-opens=java.base/java.io=ALL-UNNAMED, -XX:+UseG1GC, -Djava.io.tmpdir=/var/log/elasticsearch, -XX:+HeapDumpOnOutOfMemoryError, -XX:+ExitOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djna.tmpdir=/var/lib/elasticsearch/tmp, -Xms7861m, -Xmx7861m, -XX:MaxDirectMemorySize=4123000832, -XX:G1HeapRegionSize=4m, -XX:InitiatingHeapOccupancyPercent=30, -XX:G1ReservePercent=15, -Des.distribution.type=rpm, --module-path=/usr/share/elasticsearch/lib, --add-modules=jdk.net, -Djdk.module.main=org.elasticsearch.server]
[2023-04-20T09:05:16,682][INFO ][c.a.c.i.j.JacksonVersion ] [node1] Package versions: jackson-annotations=2.13.2, jackson-core=2.13.2, jackson-databind=2.13.2.2, jackson-dataformat-xml=2.13.2, jackson-datatype-jsr310=2.13.2, azure-core=1.27.0, Troubleshooting version conflicts: https://aka.ms/azsdk/java/dependency/troubleshoot
[2023-04-20T09:05:18,044][INFO ][c.f.s.SearchGuardPlugin ] [node1] ES Config path is /etc/elasticsearch
[2023-04-20T09:05:18,140][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [node1] JVM supports TLSv1.3
[2023-04-20T09:05:18,143][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] [node1] Config directory is /etc/elasticsearch/, from there the key- and truststore files are resolved relatively
[2023-04-20T09:05:18,261][ERROR][o.e.b.Elasticsearch ] [node1] fatal exception while booting Elasticsearch
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:618) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:493) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:290) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:159) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.plugins.PluginsService.lambda$getPluginsServiceCtor$14(PluginsService.java:645) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.node.Node.(Node.java:415) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.node.Node.(Node.java:322) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch$2.(Elasticsearch.java:214) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.initPhase3(Elasticsearch.java:214) ~[elasticsearch-8.6.2.jar:?]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:67) ~[elasticsearch-8.6.2.jar:?]
Caused by: java.lang.reflect.InvocationTargetException
at jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:79) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:484) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:609) ~[elasticsearch-8.6.2.jar:?]
… 9 more
Caused by: org.elasticsearch.ElasticsearchSecurityException: Error while initializing transport SSL layer from PEM: java.security.cert.CertificateParsingException: signed fields invalid
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initTransportSSLConfig(DefaultSearchGuardKeyStore.java:367) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:222) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:143) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:219) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:256) ~[?:?]
at jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:67) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:484) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:609) ~[elasticsearch-8.6.2.jar:?]
… 9 more
Caused by: java.security.cert.CertificateParsingException: signed fields invalid
at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1806) ~[?:?]
at sun.security.x509.X509CertImpl.(X509CertImpl.java:183) ~[?:?]
at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:481) ~[?:?]
at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:366) ~[?:?]
at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:478) ~[?:?]
at com.floragunn.searchguard.support.PemKeyReader.loadCertificatesFromFile(PemKeyReader.java:196) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initTransportSSLConfig(DefaultSearchGuardKeyStore.java:340) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:222) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:143) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:219) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:256) ~[?:?]
at jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:67) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:484) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:609) ~[elasticsearch-8.6.2.jar:?]
… 9 more

When I tried using my own certs (the ones with the wildcard), I don’t get this error, but then I get the error with the wildcard. For now, I’m going to either generate a new non wildcard cert just for admin usage or see if I can find a different cert (although I’m still curious about the demo certs).

I’m not sure what “file or configuration key managed” means. What information can I give to help determine this?

Thanks!

7

You have flipped the file types in both cases here. The esnode-key.pem file needs to be specified for pemkey_filepath and the esnode.pem needs to be specified for pemcert_filepath.

8

Thanks! After switching those values I am able to get the demo certificates to work. I was able to run the sgctl connect and the sgctl update-config (though I wasn’t able to load the default sg_frontend_multi_tenancy.yml file. I just removed it for now). I can continue setting up the rest of ELK now.

Once I am able to get the new non-demo certificates without wildcards I will try with those. Thanks for your help again!

10

Finally got back to this. I’m trying to use custom certificates that we were using for an installation of ELK/SG7, but I’m still getting the same error as I was before using the demo certs on ELK8.6.2. This is a different system than the one I was using earlier, so there are no saved connection settings with the demo certs.

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: false
xpack.security.transport.ssl.enabled: false

ingest.geoip.downloader.enabled: false
discovery.type: single-node
search.max_buckets: 20000000

searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true
searchguard.ssl.http.clientauth_mode: NONE

searchguard.ssl.http.keystore_alias: myalias
searchguard.ssl.http.keystore_password: mypass
searchguard.ssl.http.truststore_password: mypass
searchguard.ssl.http.keystore_filepath: mykeystore.keystore
searchguard.ssl.http.truststore_filepath: mytruststore.truststore

searchguard.ssl.transport.keystore_alias: myalias
searchguard.ssl.transport.keystore_password: mypass
searchguard.ssl.transport.truststore_password: mypass
searchguard.ssl.transport.keystore_filepath: mykeystore.keystore
searchguard.ssl.transport.truststore_filepath: mytruststore.truststore

searchguard.authcz.admin_dn:
- “emailAddress=my.email@thecompany.com,CN=client,OU=myclient,O=mycompany,L=MyCity,ST=California,C=US”
searchguard.nodes_dn:

  • “CN=thecn,O=mycompany,L=MyCity,ST=California,C=US”
    searchguard.restapi.roles_enabled: [“sgs_all_access”]

The subject of the client.us.cer matches the searchguard.authcz.admin_dn
openssl x509 -in client.us.cer -text -noout -text -subject -nameopt RFC2253 | grep subject
subject= emailAddress=my.email@thecompany.com,CN=client,OU=myclient,O=mycompany,L=MyCity,ST=California,C=US

Note: The values of the subject of the client.us.cer and the searchguard.authcz.admin_dn match, but I had to change them to post this for sensitive data.

The prod-ca.pem is root + intermediate cert.

The command I am trying to run is
sh sgctl-1.1.0.sh connect --cert client.us.cer --key client.us.nopass.key -h elasticsearch.myhost.us --ca-cert prod-ca.pem --debug

When running the above I get the same error
Server is unavailable: Service Unavailable
com.floragunn.searchguard.sgctl.SgctlException: Server is unavailable: Service Unavailable
at com.floragunn.searchguard.sgctl.commands.ConnectingCommand.getClient(ConnectingCommand.java:131)
at com.floragunn.searchguard.sgctl.commands.Connect.call(Connect.java:37)
at com.floragunn.searchguard.sgctl.commands.Connect.call(Connect.java:29)
at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at com.floragunn.searchguard.sgctl.SgctlTool.exec(SgctlTool.java:63)
at com.floragunn.searchguard.sgctl.SgctlTool.main(SgctlTool.java:58)
Caused by: com.floragunn.searchguard.sgctl.client.ServiceUnavailableException: Service Unavailable
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient$Response.checkStatus(SearchGuardRestClient.java:421)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient$Response.parseResponseBy(SearchGuardRestClient.java:396)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient.authInfo(SearchGuardRestClient.java:84)
at com.floragunn.searchguard.sgctl.commands.ConnectingCommand.getClient(ConnectingCommand.java:119)
… 11 more

and the elasticsearch only prints out the message
[2023-05-04T11:05:12,704][ERROR][c.f.s.a.r.AuthenticatingRestFilter] [myhost] Not yet initialized (you may need to run sgctl)

11

We made some more changes for the elasticsearch.yml

cluster.name: elastic-cluster
node.name: node-1
path.data: /data/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
http.port: 9200
xpack.security.enabled: false
xpack.security.transport.ssl.enabled: false
xpack.security.autoconfiguration.enabled: false
ingest.geoip.downloader.enabled: false
discovery.type: single-node
search.max_buckets: 20000000
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.clientauth_mode: NONE
searchguard.ssl.http.keystore_alias: myalias
searchguard.ssl.http.keystore_password: mypass
searchguard.ssl.http.truststore_password: mypass
searchguard.ssl.http.keystore_filepath: mykeystore.keystore
searchguard.ssl.http.truststore_filepath: mytruststore.truststore
searchguard.ssl.transport.keystore_alias: myalias
searchguard.ssl.transport.keystore_password: mypass
searchguard.ssl.transport.truststore_password: mypass
searchguard.ssl.transport.keystore_filepath: mykeystore.keystore
searchguard.ssl.transport.truststore_filepath: mytruststore.truststore
searchguard.allow_default_init_sgindex: true
searchguard.authcz.admin_dn:

  • emailAddress=my.email@thecompany.com,CN=client,OU=myclient,O=mycompany,L=MyCity,ST=California,C=US”
    searchguard.nodes_dn:
  • “CN=thecn,O=mycompany,L=MyCity,ST=California,C=US”
    searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]

and now we are getting this issue

HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Unauthorized

Server rejected request as unauthorized. Please check the client certificate.
com.floragunn.searchguard.sgctl.SgctlException: Server rejected request as unauthorized. Please check the client certificate.
at com.floragunn.searchguard.sgctl.commands.ConnectingCommand.getClient(ConnectingCommand.java:133)
at com.floragunn.searchguard.sgctl.commands.Connect.call(Connect.java:37)
at com.floragunn.searchguard.sgctl.commands.Connect.call(Connect.java:29)
at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
at picocli.CommandLine.access$1300(CommandLine.java:145)
at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2352)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2346)
at picocli.CommandLine$RunLast.handle(CommandLine.java:2311)
at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
at picocli.CommandLine.execute(CommandLine.java:2078)
at com.floragunn.searchguard.sgctl.SgctlTool.exec(SgctlTool.java:63)
at com.floragunn.searchguard.sgctl.SgctlTool.main(SgctlTool.java:58)
Caused by: com.floragunn.searchguard.sgctl.client.UnauthorizedException: Unauthorized
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient$Response.checkStatus(SearchGuardRestClient.java:429)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient$Response.parseResponseBy(SearchGuardRestClient.java:396)
at com.floragunn.searchguard.sgctl.client.SearchGuardRestClient.authInfo(SearchGuardRestClient.java:84)
at com.floragunn.searchguard.sgctl.commands.ConnectingCommand.getClient(ConnectingCommand.java:119)

and the elastic log prints out
Authentication failed for admin from [request=/, directIpAddress=, originatingIpAddress=, clientCertSubject=null]

12

The issue was that I needed to change the following in elasticsearch.yml

searchguard.ssl.http.clientauth_mode: OPTIONAL

13

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.