Certificate issue when deploying last release ELK + Search Guard

Search Guard
1

  • Search Guard and Elasticsearch version 6.5.4 SG VERSION=.24.0 SG_VERSION_KIBANA=17

  • Installed and used enterprise modules, if any: NO

  • JVM version and operating system version : OpenJDK

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Hello,

I get this error when i try to deploy the last release of ELK+Search Guard in Docker. (ELK 6.5.4 SG 24.17) It seems that the certificate is not valid “java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019”.

The installation works well, without any error but when i try “docker-compose exec -T elasticsearch bin/init_sg.sh”

I get this error:

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]

17:41:55.210 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151) ~[?:?]

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]

at java.lang.Thread.run(Thread.java:834) [?:?]

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:687) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

DO you have an idea how to solve it ?

Thank you for your support.

Best regards,

Pascal

2

Hey, it seems like your certificate expired on 15th january. Perhaps try regenerating the certs that youre using, or try running the cluster using demo certificates.

···

On Thu, 17 Jan 2019, 19:54 <plaz300664@gmail.com wrote:

  • Search Guard and Elasticsearch version 6.5.4 SG VERSION=.24.0 SG_VERSION_KIBANA=17
  • Installed and used enterprise modules, if any: NO
  • JVM version and operating system version : OpenJDK
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hello,

I get this error when i try to deploy the last release of ELK+Search Guard in Docker. (ELK 6.5.4 SG 24.17) It seems that the certificate is not valid “java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019”.

The installation works well, without any error but when i try “docker-compose exec -T elasticsearch bin/init_sg.sh”

I get this error:

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]

17:41:55.210 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151) ~[?:?]

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]

at java.lang.Thread.run(Thread.java:834) [?:?]

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:687) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

DO you have an idea how to solve it ?

Thank you for your support.

Best regards,

Pascal

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bcc85a8b-567a-4dcd-aaca-66ae954bc45e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

3

Thank you for your support Simon !

In fact, I use the cluster using demo certificate. I just downloaded files and run the docker-compose from GitHub - deviantony/docker-elk at searchguard.

I thought that demo certificate were always downloaded when we install a new release (without upgrade)

···

Le jeudi 17 janvier 2019 18:57:59 UTC+1, Simon Visser a écrit :

Hey, it seems like your certificate expired on 15th january. Perhaps try regenerating the certs that youre using, or try running the cluster using demo certificates.

On Thu, 17 Jan 2019, 19:54 <plaz3...@gmail.com wrote:

  • Search Guard and Elasticsearch version 6.5.4 SG VERSION=.24.0 SG_VERSION_KIBANA=17
  • Installed and used enterprise modules, if any: NO
  • JVM version and operating system version : OpenJDK
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hello,

I get this error when i try to deploy the last release of ELK+Search Guard in Docker. (ELK 6.5.4 SG 24.17) It seems that the certificate is not valid “java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019”.

The installation works well, without any error but when i try “docker-compose exec -T elasticsearch bin/init_sg.sh”

I get this error:

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]

17:41:55.210 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151) ~[?:?]

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]

at java.lang.Thread.run(Thread.java:834) [?:?]

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:687) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

DO you have an idea how to solve it ?

Thank you for your support.

Best regards,

Pascal

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bcc85a8b-567a-4dcd-aaca-66ae954bc45e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

4

Hey there!

I had a look at that GitHub repo, did you see the maintainer updated it 2 hours ago with a commit message “Updated certs to be valid until 2028”? That seems very relevant to the issue you’re having. Maybe you can just pull the code again and retry?

By the way, you probably already know this, but re-using someone else’s certificates like that is extremely insecure and basically leaves your cluster open to the public. Definitely build some new certificates using SG’s offline certificate tool (or something).

Regards

Simon

···

On 17 Jan 2019, at 20:02, plaz300664@gmail.com wrote:

Thank you for your support Simon !

In fact, I use the cluster using demo certificate. I just downloaded files and run the docker-compose from https://github.com/deviantony/docker-elk/tree/searchguard.

I thought that demo certificate were always downloaded when we install a new release (without upgrade)

Le jeudi 17 janvier 2019 18:57:59 UTC+1, Simon Visser a écrit :

Hey, it seems like your certificate expired on 15th january. Perhaps try regenerating the certs that youre using, or try running the cluster using demo certificates.

On Thu, 17 Jan 2019, 19:54 <plaz3...@gmail.com wrote:

  • Search Guard and Elasticsearch version 6.5.4 SG VERSION=.24.0 SG_VERSION_KIBANA=17
  • Installed and used enterprise modules, if any: NO
  • JVM version and operating system version : OpenJDK
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hello,

I get this error when i try to deploy the last release of ELK+Search Guard in Docker. (ELK 6.5.4 SG 24.17) It seems that the certificate is not valid “java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019”.

The installation works well, without any error but when i try “docker-compose exec -T elasticsearch bin/init_sg.sh”

I get this error:

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]

17:41:55.210 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151) ~[?:?]

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]

at java.lang.Thread.run(Thread.java:834) [?:?]

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:687) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

DO you have an idea how to solve it ?

Thank you for your support.

Best regards,

Pascal

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bcc85a8b-567a-4dcd-aaca-66ae954bc45e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/14b49ddf-8973-41a6-be83-da7b82a6ad4b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

**SIMON VISSER **/ DEVELOPER
Simonv@gotbot.ai / +27 79 686 6576
GotBot
'Voted one of the top 10 Startups on the continent’ * StartUpBootcamp 2017

5

Thanks a lot Simon I do it immediately.

And i am agree with you that I need to create my own certificates. But i am still in training on Search Guard and i should do it when we will deploy the solution in our production environment.

Thank you again !!!

Best regards,

Pascal

···

Le jeudi 17 janvier 2019 19:06:33 UTC+1, Simon Visser a écrit :

Hey there!

I had a look at that GitHub repo, did you see the maintainer updated it 2 hours ago with a commit message “Updated certs to be valid until 2028”? That seems very relevant to the issue you’re having. Maybe you can just pull the code again and retry?

By the way, you probably already know this, but re-using someone else’s certificates like that is extremely insecure and basically leaves your cluster open to the public. Definitely build some new certificates using SG’s offline certificate tool (or something).

Regards

Simon

On 17 Jan 2019, at 20:02, plaz3...@gmail.com wrote:

Thank you for your support Simon !

In fact, I use the cluster using demo certificate. I just downloaded files and run the docker-compose from https://github.com/deviantony/docker-elk/tree/searchguard.

I thought that demo certificate were always downloaded when we install a new release (without upgrade)

Le jeudi 17 janvier 2019 18:57:59 UTC+1, Simon Visser a écrit :

Hey, it seems like your certificate expired on 15th january. Perhaps try regenerating the certs that youre using, or try running the cluster using demo certificates.

On Thu, 17 Jan 2019, 19:54 <plaz3...@gmail.com wrote:

  • Search Guard and Elasticsearch version 6.5.4 SG VERSION=.24.0 SG_VERSION_KIBANA=17
  • Installed and used enterprise modules, if any: NO
  • JVM version and operating system version : OpenJDK
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Hello,

I get this error when i try to deploy the last release of ELK+Search Guard in Docker. (ELK 6.5.4 SG 24.17) It seems that the certificate is not valid “java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019”.

The installation works well, without any error but when i try “docker-compose exec -T elasticsearch bin/init_sg.sh”

I get this error:

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]

17:41:55.210 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.ssl.Alert.createSSLException(Alert.java:128) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[?:?]

at sun.security.ssl.TransportContext.fatal(TransportContext.java:259) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1329) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1204) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1151) ~[?:?]

at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]

at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:?]

at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]

at java.lang.Thread.run(Thread.java:834) [?:?]

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:350) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertPathValidatorException: validity check failed

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 15 20:48:52 UTC 2019

at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274) ~[?:?]

at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:687) ~[?:?]

at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190) ~[?:?]

at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144) ~[?:?]

at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:233) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:141) ~[?:?]

at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:80) ~[?:?]

at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]

at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:345) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:259) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:321) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?]

at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1307) ~[?:?]

… 29 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{3j5FAWQ6S3mUip1AvJMC_Q}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

DO you have an idea how to solve it ?

Thank you for your support.

Best regards,

Pascal

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/bcc85a8b-567a-4dcd-aaca-66ae954bc45e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/14b49ddf-8973-41a6-be83-da7b82a6ad4b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

**SIMON VISSER **/ DEVELOPER
Sim…@gotbot.ai / +27 79 686 6576
GotBot
'Voted one of the top 10 Startups on the continent’ * StartUpBootcamp 2017