Cannot upload data to ElasticSearch after installing Search Guard

jatin · April 4, 2019, 5:05am

Hi All,

Before installing Search Guard I use to upload data to Elasticsearch using ExcelasticCheck here

And it worked perfectly fine. This helped me to avoid using logstash which is heavy.

After installing Search Guard I changed Excelastic config which have feature to add TLS username password in case we want to upload data with tls security. THis is its config file details:-

{
“web_port”: 7777,
“elastic_port”: 9200,
“elastic_host”: “localhost”,
“elastic_tls”: true,
“authentication”: true,
“basic”: “admin:admin”
}

Search Guard has been configured according to their documentation with demo certificates.

These are the log details of ElasticSearch.

[2019-04-04T10:14:30,602][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [OCMpWyk] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
	at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
	at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_74]
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_74]

These are the log details of Excelastic :-

>     Apr 04, 2019 10:14:30 AM io.vertx.core.http.impl.HttpClientRequestImpl
>     SEVERE: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
>     Apr 04, 2019 10:14:30 AM io.netty.channel.DefaultChannelPipeline onUnhandledInbo
>     undException
>     WARNING: An exceptionCaught() event was fired, and it reached at the tail of the
>      pipeline. It usually means the last handler in the pipeline did not handle the
>     exception.
>     io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Ge
>     neral SSLEngine problem
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:459)
>             at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessage
>     Decoder.java:265)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(Abstra
>     ctChannelHandlerContext.java:340)
>             at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(Defau
>     ltChannelPipeline.java:1359)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChanne
>     lPipeline.java:935)
>             at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(Abstra
>     ctNioByteChannel.java:141)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.jav
>     a:645)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEve
>     ntLoop.java:580)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.ja
>     va:497)
>             at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
>             at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThread
>     EventExecutor.java:886)
>             at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalR
>     unnable.java:30)
>             at java.lang.Thread.run(Unknown Source)
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
>             at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
>             at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.jav
>     a:292)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
>             at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1
>     159)
>             at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
>             at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProte
>     ction(ByteToMessageDecoder.java:489)
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:428)
>             ... 16 more
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Alerts.getSSLException(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
>             at sun.security.ssl.Handshaker.processLoop(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at java.security.AccessController.doPrivileged(Native Method)
>             at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
>             at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:140
>     8)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
>             ... 20 more
>     Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
>      sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
>     d certification path to requested target
>             at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>             at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>             at sun.security.validator.Validator.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
>     ce)
>             ... 29 more
>     Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
>      find valid certification path to requested target
>             at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc
>     e)
>             at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>      Source)
>             at java.security.cert.CertPathBuilder.build(Unknown Source)
>             ... 35 more

It seems I have to add certificates for Excelastic but how and where?
Can anyone suggest how to solve this issue?

If not what are other possible options to upload data to current index in elasticsearch in easy manner?

jkressin · April 4, 2019, 7:09pm

Well, I do not know Excelastic at all, but judging from the stack trace I guess the problem is that

you are using self-signed certificates on Elasticsearch (maybe the demo certificates?)
Excelastic is not able to validate the certificates since they are self-signed

So you would need to find a way to either

provide Excelastic with the root-ca that you use on Elasticsearch or
disable certificate validation on Excelastic

Using self-signed certificates is a common use-case for companies running their own PKI, but I guess you would need to ask that question on the Excelastic forum / GitHub / …

Let me know if there any more questions!

jatin · April 9, 2019, 10:48am

For those troubled with similar issue.
Please check my answer here

system · April 30, 2019, 10:48am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL Connection Problem between Logstash and ElasticSearch with SearchGuard Search Guard	5	690	March 16, 2018
Configured demo intsallation search guard .but there is ssl exception Search Guard	3	467	May 29, 2019
Cannot use SHA512 certificate with Searchguard Search Guard	3	1669	October 25, 2018
SSLHandshakeException certificate_unknown Search Guard	3	841	April 14, 2020
Logstash can't connect to logstash Search Guard	3	956	April 19, 2018

Cannot upload data to ElasticSearch after installing Search Guard

Related Topics