Certificate DN

Hi,

I have my admin certificate DN configured as follows.

searchguard.authcz.admin_dn:

``

When I try to initialize the SG, I get the following exception.

[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
… 43 more

``

If I change the admin DN configuration as below in the reverse order it works.

searchguard.authcz.admin_dn:

``

I don’t understand what is happening here.

If I fetch if from certificate I get in the order with CN at the beginning.

openssl x509 -in admin_cert.pem -noout -subject

subject= /CN=vf-zr125-sm100.dr.avaya.com/O=Avaya/C=US

``

Then why is SG expecting the DN in the reverse order.

Also in the page here, the example show the admin certificate DN starting with CN.

https://github.com/floragunncom/search-guard-docs/blob/93f1cbc7a43b3cb3bcedf9b44b634071055cc714/tls_configuration.md

Then why is it not working for me.

Can someone here please help me with this.

I need to understand this SearchGuard behavior to get it up and running. Why is it not allowing the DN with CN first?

···

On Sunday, October 15, 2017 at 1:55:28 AM UTC+5:30, ihjaz Mohamed wrote:

Hi,

I have my admin certificate DN configured as follows.

searchguard.authcz.admin_dn:

``

When I try to initialize the SG, I get the following exception.

[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
… 43 more

``

If I change the admin DN configuration as below in the reverse order it works.

searchguard.authcz.admin_dn:

``

I don’t understand what is happening here.

If I fetch if from certificate I get in the order with CN at the beginning.

openssl x509 -in admin_cert.pem -noout -subject

subject= /CN=vf-zr125-sm100.dr.avaya.com/O=Avaya/C=US

``

Then why is SG expecting the DN in the reverse order.

Also in the page here, the example show the admin certificate DN starting with CN.

https://github.com/floragunncom/search-guard-docs/blob/93f1cbc7a43b3cb3bcedf9b44b634071055cc714/tls_configuration.md

Then why is it not working for me.

Hi All,

Still waiting for some help here.

···

On Monday, October 16, 2017 at 2:26:47 PM UTC+5:30, ihjaz Mohamed wrote:

Can someone here please help me with this.

I need to understand this SearchGuard behavior to get it up and running. Why is it not allowing the DN with CN first?

On Sunday, October 15, 2017 at 1:55:28 AM UTC+5:30, ihjaz Mohamed wrote:

Hi,

I have my admin certificate DN configured as follows.

searchguard.authcz.admin_dn:

``

When I try to initialize the SG, I get the following exception.

[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
… 43 more

``

If I change the admin DN configuration as below in the reverse order it works.

searchguard.authcz.admin_dn:

``

I don’t understand what is happening here.

If I fetch if from certificate I get in the order with CN at the beginning.

openssl x509 -in admin_cert.pem -noout -subject

subject= /CN=vf-zr125-sm100.dr.avaya.com/O=Avaya/C=US

``

Then why is SG expecting the DN in the reverse order.

Also in the page here, the example show the admin certificate DN starting with CN.

https://github.com/floragunncom/search-guard-docs/blob/93f1cbc7a43b3cb3bcedf9b44b634071055cc714/tls_configuration.md

Then why is it not working for me.

https://www.google.de/search?q=%2Copenssl+reverse+order+dn&oq=%2Copenssl+reverse+order+dn

···

Am 14.10.2017 um 22:25 schrieb ihjaz Mohamed <ihjazmohamed@gmail.com>:

Hi,

I have my admin certificate DN configured as follows.

searchguard.authcz.admin_dn:
- CN=vf-zr125-sm100.dr.avaya.com,O=Avaya,C=US

When I try to initialize the SG, I get the following exception.

[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
        at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
        at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
        at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
        at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
        at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
        at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
        at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
        at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
        at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
        at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
        at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
        at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
        at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
        at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
        at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
        at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
        at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
        at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
        ... 43 more

If I change the admin DN configuration as below in the reverse order it works.

searchguard.authcz.admin_dn:
- C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com

I don't understand what is happening here.
If I fetch if from certificate I get in the order with CN at the beginning.
# openssl x509 -in admin_cert.pem -noout -subject
subject= /CN=vf-zr125-sm100.dr.avaya.com/O=Avaya/C=US

Then why is SG expecting the DN in the reverse order.

Also in the page here, the example show the admin certificate DN starting with CN.
https://github.com/floragunncom/search-guard-docs/blob/93f1cbc7a43b3cb3bcedf9b44b634071055cc714/tls_configuration.md

Then why is it not working for me.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f31ab63d-8708-4626-9f12-a1524f34a8a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.