Cerebro auth with Search Guard

Search Guard
1

I am new to Search Guard, I have a single machine running a fresh Elasticsearch 6.4.0 install and Search Guard.

There is a utility called Cerebro that provides a graphical interface to Elasticsearch clusters.

it is listed in supported plugins:

The config file is simple, I’ve tried admin/admin in the Authentication section, which seems to be password protection for the Cerebro app itself, and in the hosts section. This shows a plain text link, switching to https generates some errors on console from Cerebro, which I have included below.

Is there a simple solution already worked out for this?

Authentication

auth = {

type: basic

settings: {

username = “admin”

password = “admin”

}

}

A list of known hosts

hosts = [

{

host = “http://localhost:9200

name = “hotpot”

auth = {

username = “admin”

password = “admin”

}

}

]

begin Cerebro errors with https

! @7a1840nfg - Internal server error, for (POST) [/connect] →

play.api.UnexpectedException: Unexpected exception[ConnectException: General SSLEngine problem]

at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)

at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:251)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:250)

at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)

Caused by: java.net.ConnectException: General SSLEngine problem

at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)

at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)

at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)

at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)

at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

[error] application -

! @7a184183l - Internal server error, for (POST) [/connect] →

play.api.UnexpectedException: Unexpected exception[RemotelyClosedException: Remotely closed]

at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)

at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:251)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:250)

at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)

Caused by: play.shaded.ahc.org.asynchttpclient.exception.RemotelyClosedException: Remotely closed

2

Hi, for problems with self signed certs try something like this:
play.ws.ssl.loose.acceptAnyCertificate = true

and host should be using https
host = “https://localhost:9200”

···

Am Sonntag, 18. November 2018 03:31:49 UTC-9:30 schrieb Neal Rauhauser:

I am new to Search Guard, I have a single machine running a fresh Elasticsearch 6.4.0 install and Search Guard.

There is a utility called Cerebro that provides a graphical interface to Elasticsearch clusters.

https://github.com/lmenezes/cerebro

it is listed in supported plugins:

https://docs.search-guard.com/latest/search-guard-compatibility

The config file is simple, I’ve tried admin/admin in the Authentication section, which seems to be password protection for the Cerebro app itself, and in the hosts section. This shows a plain text link, switching to https generates some errors on console from Cerebro, which I have included below.

Is there a simple solution already worked out for this?

Authentication

auth = {

type: basic

settings: {

username = “admin”

password = “admin”

}

}

A list of known hosts

hosts = [

{

host = “http://localhost:9200

name = “hotpot”

auth = {

username = “admin”

password = “admin”

}

}

]

begin Cerebro errors with https

! @7a1840nfg - Internal server error, for (POST) [/connect] →

play.api.UnexpectedException: Unexpected exception[ConnectException: General SSLEngine problem]

at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)

at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:251)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:250)

at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)

Caused by: java.net.ConnectException: General SSLEngine problem

at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:168)

at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:139)

at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)

at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:507)

at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:500)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

at sun.security.validator.Validator.validate(Validator.java:262)

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)

[error] application -

! @7a184183l - Internal server error, for (POST) [/connect] →

play.api.UnexpectedException: Unexpected exception[RemotelyClosedException: Remotely closed]

at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:247)

at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:176)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:251)

at play.core.server.AkkaHttpServer$$anonfun$13$$anonfun$apply$1.applyOrElse(AkkaHttpServer.scala:250)

at scala.concurrent.Future$$anonfun$recoverWith$1.apply(Future.scala:346)

Caused by: play.shaded.ahc.org.asynchttpclient.exception.RemotelyClosedException: Remotely closed