Cannot upload data to ElasticSearch after installing Search Guard

#1

Hi All,

Before installing Search Guard I use to upload data to Elasticsearch using ExcelasticCheck here

And it worked perfectly fine. This helped me to avoid using logstash which is heavy.

After installing Search Guard I changed Excelastic config which have feature to add TLS username password in case we want to upload data with tls security. THis is its config file details:-

{
“web_port”: 7777,
“elastic_port”: 9200,
“elastic_host”: “localhost”,
“elastic_tls”: true,
“authentication”: true,
“basic”: “admin:admin”
}

Search Guard has been configured according to their documentation with demo certificates.

These are the log details of ElasticSearch.

[2019-04-04T10:14:30,602][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [OCMpWyk] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
	at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
	at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_74]
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
	at java.lang.Thread.run(Unknown Source) [?:1.8.0_74]

These are the log details of Excelastic :-

>     Apr 04, 2019 10:14:30 AM io.vertx.core.http.impl.HttpClientRequestImpl
>     SEVERE: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
>     Apr 04, 2019 10:14:30 AM io.netty.channel.DefaultChannelPipeline onUnhandledInbo
>     undException
>     WARNING: An exceptionCaught() event was fired, and it reached at the tail of the
>      pipeline. It usually means the last handler in the pipeline did not handle the
>     exception.
>     io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Ge
>     neral SSLEngine problem
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:459)
>             at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessage
>     Decoder.java:265)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(Abstra
>     ctChannelHandlerContext.java:340)
>             at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(Defau
>     ltChannelPipeline.java:1359)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:362)
>             at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(Abst
>     ractChannelHandlerContext.java:348)
>             at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChanne
>     lPipeline.java:935)
>             at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(Abstra
>     ctNioByteChannel.java:141)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.jav
>     a:645)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEve
>     ntLoop.java:580)
>             at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.ja
>     va:497)
>             at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
>             at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThread
>     EventExecutor.java:886)
>             at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalR
>     unnable.java:30)
>             at java.lang.Thread.run(Unknown Source)
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
>             at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
>             at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.jav
>     a:292)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1248)
>             at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1
>     159)
>             at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1194)
>             at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProte
>     ction(ByteToMessageDecoder.java:489)
>             at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageD
>     ecoder.java:428)
>             ... 16 more
>     Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
>             at sun.security.ssl.Alerts.getSSLException(Unknown Source)
>             at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
>             at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
>             at sun.security.ssl.Handshaker.processLoop(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at sun.security.ssl.Handshaker$1.run(Unknown Source)
>             at java.security.AccessController.doPrivileged(Native Method)
>             at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
>             at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:140
>     8)
>             at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1316)
>             ... 20 more
>     Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
>      sun.security.provider.certpath.SunCertPathBuilderException: unable to find vali
>     d certification path to requested target
>             at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
>             at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
>             at sun.security.validator.Validator.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
>             at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Sour
>     ce)
>             ... 29 more
>     Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
>      find valid certification path to requested target
>             at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Sourc
>     e)
>             at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown
>      Source)
>             at java.security.cert.CertPathBuilder.build(Unknown Source)
>             ... 35 more

It seems I have to add certificates for Excelastic but how and where?
Can anyone suggest how to solve this issue?

If not what are other possible options to upload data to current index in elasticsearch in easy manner?

0 Likes

#2

Well, I do not know Excelastic at all, but judging from the stack trace I guess the problem is that

  • you are using self-signed certificates on Elasticsearch (maybe the demo certificates?)
  • Excelastic is not able to validate the certificates since they are self-signed

So you would need to find a way to either

  • provide Excelastic with the root-ca that you use on Elasticsearch or
  • disable certificate validation on Excelastic

Using self-signed certificates is a common use-case for companies running their own PKI, but I guess you would need to ask that question on the Excelastic forum / GitHub / …

Let me know if there any more questions!

0 Likes

assigned jkressin #3
0 Likes

#4

For those troubled with similar issue.
Please check my answer here

1 Like