Hello,
I have an elasticsearch cluster with 3 nodes who work very well with search-guard-ssl, but when i install search-guard-2 plugin, the hell start.
Elasticsearch v 2.3.1
SearchGuard ssl v 2.3.1.8
Search-guard v 2.3.1.0-beta1
He re is my conf file:
cluster.name: xploit
node.name: ${HOSTNAME}
bootstrap.mlockall: true
network.host: 192.168.1.218
discovery.zen.ping.unicast.hosts: [“192.168.1.217”, “192.168.1.219”]
#searchguard.ssl.transport.enabled: false
searchguard.ssl.transport.keystore_filepath: elasticsearch04-tst-keystore.jks
searchguard.ssl.transport.keystore_password: alpine
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: alpine
#searchguard.ssl.transport.enforce_hostname_verification: false
security.manager.enabled: false
searchguard.authcz.admin_dn:
``
When i try to curl http://192.168.1.218:9200, i get Search Guard not initialized (SG11)
And when i try to use sgadmin.sh i get this error:
elasticsearch04-tst:/usr/share/elasticsearch/plugins/search-guard-2# ./tools/sgadmin.sh -cd sgconfig/ -cn xploit -h elasticsearch04-tst -p 9300 -ts /root/ca/truststore.jks -tspass alpine -ks /root/ca/xploit-keystore.jks -kspass alpine
Connect to elasticsearch04-tst:9300
Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{192.168.1.218}{elasticsearch04-tst/192.168.1.218:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)
``
I tried lot of things, i reinstalled and reinstalled, and i just don’t understand what’s this error meaning.
Someone ever had this problem? Or an idea to solve this?
Thanks
0) upgrade search-guard-ssl to 2.3.1.8.1
1) enable debug logging (in logging.yml on all nodes add "logger.com.floragunn: DEBUG")
2) set "searchguard.ssl.transport.enforce_hostname_verification: false" (just for now) on all nodes
3) restart nodes
Execute "./tools/sgadmin.sh -cd sgconfig/ -cn xploit -h elasticsearch04-tst -p 9300 -ts /root/ca/truststore.jks -tspass alpine -ks /root/ca/xploit-keystore.jks -kspass alpine -nhnv"
If it is still not working look into the logs of elasticsearch and make sure you can connect to elasticsearch04-tst on port 9300 from that host you issued the sgadmin command
(do a "telnet elasticsearch04-tst 9300" or "openssl s_client -connect elasticsearch04-tst:9300" for example)
How did you generate the SSL certificates?
Pls consider also an upgrade to ES 2.3.2, SG-SSL 2.3.2.9 and SG 2.3.2.0-beta2
···
Am 13.05.2016 um 15:09 schrieb cedric moreaux <misterced91@gmail.com>:
Hello,
I have an elasticsearch cluster with 3 nodes who work very well with search-guard-ssl, but when i install search-guard-2 plugin, the hell start.
Elasticsearch v 2.3.1
SearchGuard ssl v 2.3.1.8
Search-guard v 2.3.1.0-beta1
He re is my conf file:
cluster.name: xploit
node.name: ${HOSTNAME}
bootstrap.mlockall: true
network.host: 192.168.1.218
discovery.zen.ping.unicast.hosts: ["192.168.1.217", "192.168.1.219"]
#searchguard.ssl.transport.enabled: false
searchguard.ssl.transport.keystore_filepath: elasticsearch04-tst-keystore.jks
searchguard.ssl.transport.keystore_password: alpine
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: alpine
#searchguard.ssl.transport.enforce_hostname_verification: false
security.manager.enabled: false
searchguard.authcz.admin_dn:
- "CN=xploit"
When i try to curl http://192.168.1.218:9200, i get Search Guard not initialized (SG11)
And when i try to use sgadmin.sh i get this error:
elasticsearch04-tst:/usr/share/elasticsearch/plugins/search-guard-2# ./tools/sgadmin.sh -cd sgconfig/ -cn xploit -h elasticsearch04-tst -p 9300 -ts /root/ca/truststore.jks -tspass alpine -ks /root/ca/xploit-keystore.jks -kspass alpine
Connect to elasticsearch04-tst:9300
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{192.168.1.218}{elasticsearch04-tst/192.168.1.218:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)
I tried lot of things, i reinstalled and reinstalled, and i just don't understand what's this error meaning.
Someone ever had this problem? Or an idea to solve this?
Thanks
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0ff1e7c7-d874-42aa-8449-e54c32214663%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
First thanks a lot for your spontaneity.
I upgraded to ES 2.3.2, SG-SSL 2.3.2.9 and SG 2.3.2.0-beta2
I activated debug logging
Now when i use sgadmin with parameters you wrote, i get this:
elasticsearch04-tst:/usr/share/elasticsearch/plugins/search-guard-2# ./tools/sgadmin.sh -cd sgconfig/ -cn xploit -h elasticsearch04-tst -p 9300 -ts /root/ca/truststore.jks -tspass alpine -ks /root/ca/xploit-keystore.jks -kspass alpine -nhnv
Connect to elasticsearch04-tst:9300
[16:13:38,419][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Franklin Storm] exception caught on transport layer [[id: 0xac44c4f8, /192.168.1.218:40078 => elasticsearch04-tst/192.168.1.218:9300]], closing connection
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1336)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1714)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:281)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:841)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:839)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273)
at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
… 18 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:230)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1433)
… 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
… 32 more
Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{192.168.1.218}{elasticsearch04-tst/192.168.1.218:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)
``
It’s look like i have a problem with my certs isn’t it?
But without searchguard, the differents node communicated with the same certs.
I generated all certs with the script in folder example-pki-script.
My root with gen_root_ca.sh
elasticsearch03-tst elasticsearch04-tst and elasticserch05-tst (my 3 nodes) with gen_node-cert.sh
and xploit with gen_client_node_cert.sh
Make sure you have no other elasticsearch nodes running than you expect to run!
"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target" means that the certificates are not trusted (e.g. the trustore.jks does not contain the root certificate for the generated node and client certificates). Make sure you use the same truststore you generated for your nodes (means: all certs must be signed with the same CA)
Look here for a working example https://github.com/floragunncom/search-guard/blob/master/Vagrantfile
···
Am 13.05.2016 um 16:22 schrieb cedric moreaux <misterced91@gmail.com>:
First thanks a lot for your spontaneity.
I upgraded to ES 2.3.2, SG-SSL 2.3.2.9 and SG 2.3.2.0-beta2
I activated debug logging
Now when i use sgadmin with parameters you wrote, i get this:
elasticsearch04-tst:/usr/share/elasticsearch/plugins/search-guard-2# ./tools/sgadmin.sh -cd sgconfig/ -cn xploit -h elasticsearch04-tst -p 9300 -ts /root/ca/truststore.jks -tspass alpine -ks /root/ca/xploit-keystore.jks -kspass alpine -nhnv
Connect to elasticsearch04-tst:9300
[16:13:38,419][WARN ] org.elasticsearch.com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - [Franklin Storm] exception caught on transport layer [[id: 0xac44c4f8, /192.168.1.218:40078 => elasticsearch04-tst/192.168.1.218:9300]], closing connection
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1336)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1714)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:281)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:841)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:839)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273)
at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
... 18 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:230)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1433)
... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 32 more
Exception in thread "main" NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{192.168.1.218}{elasticsearch04-tst/192.168.1.218:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)
It's look like i have a problem with my certs isn't it?
But without searchguard, the differents node communicated with the same certs.
I generated all certs with the script in folder example-pki-script.
My root with gen_root_ca.sh
elasticsearch03-tst elasticsearch04-tst and elasticserch05-tst (my 3 nodes) with gen_node-cert.sh
and xploit with gen_client_node_cert.sh
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/356225a7-0113-473b-ae9a-276d8cee7fd2%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
There is no other instances on this 3 servers but probably some others on the network, i changes my cluster name by security but the error is still here.
If i use the same keystore as the node, i get just this:
elasticsearch04-tst:/usr/share/elasticsearch/plugins/search-guard-2# ./tools/sgadmin.sh -cd sgconfig/ -cn xploitcluster -h elasticsearch04-tst -p 9300 -ts /etc/elasticsearch/truststore.jks -tspass alpine -ks /etc/elasticsearch/elasticsearch04-tst-keystore.jks -kspass alpine -nhnv
Connect to elasticsearch04-tst:9300
Exception in thread “main” NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{192.168.1.218}{elasticsearch04-tst/192.168.1.218:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:290)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:207)
at org.elasticsearch.client.transport.support.TransportProxyClient.execute(TransportProxyClient.java:55)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:288)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:359)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:348)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.execute(AbstractClient.java:848)
at org.elasticsearch.client.support.AbstractClient$ClusterAdmin.health(AbstractClient.java:868)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:137)
``
And in the log i saw this:
[2016-05-13 16:56:42,041][ERROR][com.floragunn.searchguard.transport.SearchGuardTransportService] Cannot authenticate User [name=CN=xploit, roles=]
``
Did i missed something? 
Ow god it’s ok, since i upgraded, i commented line for serch-guard-2 in elasticsearch.yml, it’s why he couldn’t find my user.
So i don’t no exactly what was the problem but you solved him at your first message.
Sorry for your time and one more time thanks a lot!!