Configuration issue on Prod server

Search Guard
1

Hi,

While configuring searchguard on elasticsearch 5.6.0 prod server I am getting the following error after executing sgadmin. I have generated the signed certificate for hostname.pem and sgadmin.pem. Kindly let me know were I am doing mistake.

SSL Problem General SSLEngine problem

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1979) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]

… 18 more

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]

at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1966) ~[?:?]

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]

… 18 more

earchguard.ssl.transport.pemcert_filepath: elk001.crt.pem

searchguard.ssl.transport.pemkey_filepath: elk001.key.pem

searchguard.ssl.transport.pemkey_password: xxxxxx

searchguard.ssl.transport.pemtrustedcas_filepath: chain_ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: elk001.crt.pem

searchguard.ssl.http.pemkey_filepath: elk001.key.pem

searchguard.ssl.http.pemkey_password: xxxxxxx

searchguard.ssl.http.pemtrustedcas_filepath: chain_ca.pem

searchguard.authcz.admin_dn:

  • ‘CN=halsgadmin,OU=xxxx,O=xxx xxx Limited,L=xxx,ST=xxx,C=xx’

Note: searchguard with self signed certificate is working fine in dev( generated self signed certificate on SG site).

Thanks ,

Alex

2

Its all in the error message -> "Extended key usage does not permit use for TLS client authentication" -> Search | Security for Elasticsearch | Search Guard

···

Am 12.06.2018 um 17:06 schrieb Alex Bennet <malexbennet@gmail.com>:

Hi,
While configuring searchguard on elasticsearch 5.6.0 prod server I am getting the following error after executing sgadmin. I have generated the signed certificate for hostname.pem and sgadmin.pem. Kindly let me know were I am doing mistake.

SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_161]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
        at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1979) ~[?:?]
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]
        ... 18 more
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
        at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]
        at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]
        at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]
        at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1966) ~[?:?]
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]
        ... 18 more

earchguard.ssl.transport.pemcert_filepath: elk001.crt.pem
searchguard.ssl.transport.pemkey_filepath: elk001.key.pem
searchguard.ssl.transport.pemkey_password: xxxxxx
searchguard.ssl.transport.pemtrustedcas_filepath: chain_ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: elk001.crt.pem
searchguard.ssl.http.pemkey_filepath: elk001.key.pem
searchguard.ssl.http.pemkey_password: xxxxxxx
searchguard.ssl.http.pemtrustedcas_filepath: chain_ca.pem
searchguard.authcz.admin_dn:
- 'CN=halsgadmin,OU=xxxx,O=xxx xxx Limited,L=xxx,ST=xxx,C=xx'

Note: searchguard with self signed certificate is working fine in dev( generated self signed certificate on SG site).

Thanks ,
Alex

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/53b46739-c45b-4174-8f99-81c01f54d9e0%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

3

Hi,

I have generated CSR using openssl and we have valid signed authority. Will that certificate work?

Thanks,

Alex

···

On Tuesday, 12 June 2018 22:59:29 UTC+5:30, Search Guard wrote:

Its all in the error message → “Extended key usage does not permit use for TLS client authentication” → https://docs.search-guard.com/latest/search.html?q=Extended+key+usage

Am 12.06.2018 um 17:06 schrieb Alex Bennet malex...@gmail.com:

Hi,
While configuring searchguard on elasticsearch 5.6.0 prod server I am getting the following error after executing sgadmin. I have generated the signed certificate for hostname.pem and sgadmin.pem. Kindly let me know were I am doing mistake.

SSL Problem General SSLEngine problem

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_161]

    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]

    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]

    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]

    at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1979) ~[?:?]

    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]

    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]

    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]

    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]

    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]

    ... 18 more

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication

    at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]

    at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]

    at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]

    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]

    at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]

    at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1966) ~[?:?]

    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]

    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]

    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]

    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]

    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]

    ... 18 more

earchguard.ssl.transport.pemcert_filepath: elk001.crt.pem

searchguard.ssl.transport.pemkey_filepath: elk001.key.pem

searchguard.ssl.transport.pemkey_password: xxxxxx

searchguard.ssl.transport.pemtrustedcas_filepath: chain_ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: elk001.crt.pem

searchguard.ssl.http.pemkey_filepath: elk001.key.pem

searchguard.ssl.http.pemkey_password: xxxxxxx

searchguard.ssl.http.pemtrustedcas_filepath: chain_ca.pem

searchguard.authcz.admin_dn:

  • ‘CN=halsgadmin,OU=xxxx,O=xxx xxx Limited,L=xxx,ST=xxx,C=xx’

Note: searchguard with self signed certificate is working fine in dev( generated self signed certificate on SG site).

Thanks ,

Alex


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/53b46739-c45b-4174-8f99-81c01f54d9e0%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

4

of course.

And if you want to make your life easier try our offline tls tool to create the csr's:

···

Am 13.06.2018 um 07:41 schrieb Alex Bennet <malexbennet@gmail.com>:

Hi,

I have generated CSR using openssl and we have valid signed authority. Will that certificate work?

Thanks,
Alex

On Tuesday, 12 June 2018 22:59:29 UTC+5:30, Search Guard wrote:
Its all in the error message -> "Extended key usage does not permit use for TLS client authentication" -> Search | Security for Elasticsearch | Search Guard

> Am 12.06.2018 um 17:06 schrieb Alex Bennet <malex...@gmail.com>:
>
> Hi,
> While configuring searchguard on elasticsearch 5.6.0 prod server I am getting the following error after executing sgadmin. I have generated the signed certificate for hostname.pem and sgadmin.pem. Kindly let me know were I am doing mistake.
>
> SSL Problem General SSLEngine problem
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_161]
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1979) ~[?:?]
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]
> ... 18 more
> Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
> at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]
> at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]
> at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
> at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
> at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]
> at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]
> at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1966) ~[?:?]
> at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:237) ~[?:?]
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
> at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
> at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1301) ~[?:?]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1214) ~[?:?]
> ... 18 more
>
> earchguard.ssl.transport.pemcert_filepath: elk001.crt.pem
> searchguard.ssl.transport.pemkey_filepath: elk001.key.pem
> searchguard.ssl.transport.pemkey_password: xxxxxx
> searchguard.ssl.transport.pemtrustedcas_filepath: chain_ca.pem
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.http.enabled: true
> searchguard.ssl.http.pemcert_filepath: elk001.crt.pem
> searchguard.ssl.http.pemkey_filepath: elk001.key.pem
> searchguard.ssl.http.pemkey_password: xxxxxxx
> searchguard.ssl.http.pemtrustedcas_filepath: chain_ca.pem
> searchguard.authcz.admin_dn:
> - 'CN=halsgadmin,OU=xxxx,O=xxx xxx Limited,L=xxx,ST=xxx,C=xx'
>
>
> Note: searchguard with self signed certificate is working fine in dev( generated self signed certificate on SG site).
>
>
>
> Thanks ,
> Alex
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/53b46739-c45b-4174-8f99-81c01f54d9e0%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/7cb0e09b-9782-4dfd-9bf1-919324fa5138%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.