certificate_unknown for sgadmin.sh

Hello,

I am trying to add some users to .searchguard index with sgadmin.sh

I have changed the demo certificates to domain wildcard certificate.

Https works correctly, but I am not able to generate valid client certificates.

openssl genrsa -out admin-es.key 2048
openssl req -new -key admin-es.key -out admin-es.csr
openssl pkcs8 -topk8 -inform pem -in admin-es.key -outform pem -out admin-es.pkcs
openssl x509 -req -in admin-es.csr -CA domain.pem -CAkey domain.key -CAcreateserial -out admin-es.pem -days 1024 -sha256

openssl x509 -noout -subject -in admin-es.full.pem
subject= /C=CZ/ST=Some-State/L=Prague/O=domain/CN=admin

elasticsearch.yml

searchguard.authcz.admin_dn:

  • C=CZ,ST=Some-State,L=Prague,O=domain,CN=admin

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -nhnv -key admin-es.pkcs -icl -cert admin-es.pem -cacert domain.pem -keypass pass

``

``

which results in:

SSL Problem Received fatal alert: bad_certificate

``

I have also tried to concatenate certs to bundle

cat admin-es.pem domain.pem > admin-es.full.pem

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -nhnv -key admin-es.pkcs -icl -cert admin-es.full.pem -cacert domain.pem -keypass pass

``

which results in

SSL Problem Received fatal alert: certificate_unknown

``

I am aware of this example but it is not using OpenSSL https://github.com/floragunncom/search-guard-ssl/blob/master/example-pki-scripts/gen_client_node_cert.sh

Can you please suggest what am I doing wrong?

there is also script which use openssl only: https://github.com/floragunncom/search-guard-ssl/blob/master/example-pki-scripts/gen_node_cert_openssl.sh

···

Am 12.11.2017 um 23:38 schrieb Vít Listík <tivvitmail@gmail.com>:

Hello,

I am trying to add some users to .searchguard index with sgadmin.sh

I have changed the demo certificates to domain wildcard certificate.
Https works correctly, but I am not able to generate valid client certificates.

openssl genrsa -out admin-es.key 2048
openssl req -new -key admin-es.key -out admin-es.csr
openssl pkcs8 -topk8 -inform pem -in admin-es.key -outform pem -out admin-es.pkcs
openssl x509 -req -in admin-es.csr -CA domain.pem -CAkey domain.key -CAcreateserial -out admin-es.pem -days 1024 -sha256

openssl x509 -noout -subject -in admin-es.full.pem
subject= /C=CZ/ST=Some-State/L=Prague/O=domain/CN=admin

elasticsearch.yml

searchguard.authcz.admin_dn:
  - C=CZ,ST=Some-State,L=Prague,O=domain,CN=admin

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -nhnv -key admin-es.pkcs -icl -cert admin-es.pem -cacert domain.pem -keypass pass
which results in:
SSL Problem Received fatal alert: bad_certificate

I have also tried to concatenate certs to bundle
cat admin-es.pem domain.pem > admin-es.full.pem

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -nhnv -key admin-es.pkcs -icl -cert admin-es.full.pem -cacert domain.pem -keypass pass
which results in
SSL Problem Received fatal alert: certificate_unknown

I am aware of this example but it is not using OpenSSL https://github.com/floragunncom/search-guard-ssl/blob/master/example-pki-scripts/gen_client_node_cert.sh

Can you please suggest what am I doing wrong?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dc21edee-412f-4009-80c4-7d576af551a0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.