Certificate_problem

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

My configuration is as follows:

···

######################################################################################################

cluster.name: ops-elasticsearch-Alarm

node.name: ops-elasticsearch-Alarm-node04

node.master: false

node.data: true

path.data: /data/servers/elasticsearch-data

path.logs: /data/servers/elasticsearch-log

bootstrap.memory_lock: true

bootstrap.system_call_filter: false

indices.fielddata.cache.size: 50mb

network.host: 172.16.194.239

http.port: 9200

discovery.zen.minimum_master_nodes: 2

discovery.zen.fd.ping_timeout: 60s

discovery.zen.fd.ping_interval: 30s

discovery.zen.fd.ping_retries: 6

discovery.zen.ping.unicast.hosts: [“ops-elasticsearch-Alarm-master01”,“ops-elasticsearch-Alarm-master02”,“ops-elasticsearch-Alarm-master03”]

cluster.routing.allocation.node_initial_primaries_recoveries: 50

cluster.routing.allocation.node_concurrent_recoveries: 50

cluster.routing.allocation.cluster_concurrent_rebalance: 50

xpack.monitoring.collection.enabled: true

xpack.monitoring.enabled: true

xpack.graph.enabled: true

action.auto_create_index: “*”

searchguard.ssl.transport.keystore_type: JKS

searchguard.ssl.transport.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.transport.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.truststore_type: JKS

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.http.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: KtdzbtbwBKUo70Ze1u3X

http.compression: true

http.compression_level: 5

xpack.security.enabled: false

searchguard.nodes_dn:

  • “CN=ops-elasticsearch-Alarm-node04,OU=SSL,O=Test,L=Test,C=DE”

######################################################################################################

Can I perform a series of configuration runs on a node?The current error is as follows:

######################################################################################################

Search Guard Admin v6

Will connect to 172.16.194.239:9300 … done

Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info

Connected as CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE

ERR: CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user

Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in elasticsearch.yml

######################################################################################################

As an experimental environment, do I have to have master and node nodes to complete the experiment?

######################################################################################################

I modified the script example.sh

######################################################################################################

#!/bin/bash

OPENSSL_VER="$(openssl version)"

if [[ $OPENSSL_VER == “0.9” ]]; then

echo "Your OpenSSL version is too old: $OPENSSL_VER"

echo "Please install version 1.0.1 or later"

exit -1

else

echo “Your OpenSSL version is: $OPENSSL_VER”

fi

set -e

./clean.sh

./gen_root_ca.sh KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert.sh ops-elasticsearch-Alarm-node01 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert.sh ops-elasticsearch-Alarm-node02 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert.sh ops-elasticsearch-Alarm-node03 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert.sh ops-elasticsearch-Alarm-node04 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert.sh ops-elasticsearch-Alarm-node05 KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_client_node_cert.sh spock KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_client_node_cert.sh kirk KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_client_node_cert.sh logstash KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_client_node_cert.sh filebeat KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_client_node_cert.sh kibana KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node01/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node01” “ops-elasticsearch-Alarm-node01” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node02/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node02” “ops-elasticsearch-Alarm-node02” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node03/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node03” “ops-elasticsearch-Alarm-node03” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node04/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node04” “ops-elasticsearch-Alarm-node04” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

./gen_node_cert_openssl.sh “/CN=ops-elasticsearch-Alarm-node05/OU=SSL/O=Test/L=Test/C=DE” “ops-elasticsearch-Alarm-node05” “ops-elasticsearch-Alarm-node05” KtdzbtbwBKUo70Ze1u3X KtdzbtbwBKUo70Ze1u3X

######################################################################################################

How to empower the role?

I don’t understand the documentation.

My es version is 6.3.0

My java version is 1.8.0_144

my Search Guard version is 6.3.0

The latest error, the error message and my configuration file do not match, I have restarted the es service

The error is ERR: CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user

But in my configuration file is - CN=node-ops-elasticsearch-Alarm-node04,OU=client,O=client,L=test,C=DE

Search Guard Admin v6

Will connect to 172.16.194.239:9300 … done

Unable to check whether cluster is sane: No user found for cluster:monitor/nodes/info

Connected as CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE

ERR: CN=node-ops-elasticsearch-Alarm-node04.example.com,OU=SSL,O=Test,L=Test,C=DE is not an admin user

Seems you use a node certificate. This is not permitted, you have to use a client certificate and register it as admin_dn in elasticsearch.yml

searchguard.ssl.transport.keystore_type: JKS

searchguard.ssl.transport.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.transport.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.truststore_type: JKS

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.keystore_filepath: node-ops-elasticsearch-Alarm-node04-keystore.jks

searchguard.ssl.http.keystore_password: KtdzbtbwBKUo70Ze1u3X

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: KtdzbtbwBKUo70Ze1u3X

http.compression: true

http.compression_level: 5

xpack.security.enabled: false

searchguard.authcz.admin_dn:

  • CN=node-ops-elasticsearch-Alarm-node04,OU=client,O=client,L=test,C=DE