Client Certificate Authentication not picking up the CN

•    subject: CN=esclient-int-servercert
  

On Tuesday, November 20, 2018 at 11:15:46 PM UTC+1, Malavika Yuvaraj wrote:

When asking questions, please provide the following information:

• Search Guard and Elasticsearch version

• Installed and used enterprise modules, if any

• JVM version and operating system version

• Search Guard configuration files

• Elasticsearch log messages on debug level

• Other installed Elasticsearch or Kibana plugins, if any

SG/ES - 6.4.2-15

No enterprise modules

java version “1.8.0_191”

Searchguard config files

sg_config.yml

basic_internal_auth_domain:

http_enabled: true

transport_enabled: true

order: 1

http_authenticator:

type: basic

challenge: false

authentication_backend:

type: internal

clientcert_auth_domain:

http_enabled: true

transport_enabled: true

order: 0

http_authenticator:

type: clientcert

config:

username_attribute: cn=esclient

challenge: false

authentication_backend:

type: noop

sg_roles_mapping.yml

sg_readall:

readonly: true

backendroles:

• readall

users:

• ''cn=esclient"

curl call:

curl -vk ‘https://esclient-0:9200/_search’ --cacert ./ca.pem --key ./key.dec.pem --cert ./cl.pem

• Trying 10.5.0.42…

• Connected to esclient-0 (10.5.0.42) port 9200 (#0)

• found 2 certificates in ./ca.pem

• found 600 certificates in /etc/ssl/certs

• ALPN, offering http/1.1

• SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256

•    server certificate verification SKIPPED
  

•    server certificate status verification SKIPPED
  

•    common name: esclient-servercert (does not match 'esclient-0')
  

•    server certificate expiration date OK
  

•    server certificate activation date OK
  

•    certificate public key: RSA
  

•    certificate version: #3
  

•    subject: CN=esclient-int-servercert
  

•    start date: Fri, 09 Nov 2018 16:55:28 GMT
  

•    expire date: Mon, 09 Nov 2020 16:55:28 GMT
  

•    compression: NULL
  

• ALPN, server did not agree to a protocol

GET /_search HTTP/1.1

Host: esIntclient-0:9200

User-Agent: curl/7.47.0

Accept: /

< HTTP/1.1 401 Unauthorized

< content-type: text/plain; charset=UTF-8

< content-length: 29

<

• Connection #0 to host esclient-0 left intact

Authentication finally failed

[2018-11-20T22:22:18,397][TRACE][c.f.s.a.BackendRegistry ] Try to extract auth creds from clientcert http authenticator

[2018-11-20T22:22:18,397][TRACE][c.f.s.h.HTTPClientCertAuthenticator] No CLIENT CERT, send 401

[2018-11-20T22:22:18,398][TRACE][c.f.s.a.BackendRegistry ] No ‘Authorization’ header, send 403

[2018-11-20T22:22:18,398][TRACE][c.f.s.a.BackendRegistry ] Try to extract auth creds from basic http authenticator

[2018-11-20T22:22:18,398][TRACE][c.f.s.a.BackendRegistry ] No ‘Authorization’ header, send 403

[2018-11-20T22:22:18,398][DEBUG][c.f.s.a.BackendRegistry ] User still not authenticated after checking 2 auth domains

[2018-11-20T22:22:18,398][WARN ][c.f.s.a.BackendRegistry ] Authentication finally failed for null

I am trying to set up permissions for non-admin certs.Could someone please take a look and point out what may be wrong here? Thanks!