Configuring CA Bundle with Elastalert > SearchGuard

Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

``

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

md5sum /etc/elastalert/ca-bundle.pem

b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

``

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: true

``

And then the Elastalert config:

es_host: elastic-master-01.x-x.com
es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem

``

I appreciate this isn’t your software, but I was curious as to if you had any advice?

It looks like it doesn’t really handle TLS certs / keys, we have modified the elastalert code in order to get around this.

You can close this :slight_smile:

···

On Wednesday, 16 August 2017 14:34:43 UTC+1, anthony...@actual-experience.com wrote:

Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

``

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elastalert/ca-bundle.pem

b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

``

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: true

``

And then the Elastalert config:

es_host: elastic-master-01.x-x.com
es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem

``

I appreciate this isn’t your software, but I was curious as to if you had any advice?

Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)

···

On Wednesday, 16 August 2017 17:36:36 UTC+2, ant…es@ac…nce.com wrote:

It looks like it doesn’t really handle TLS certs / keys, we have modified the elastalert code in order to get around this.

You can close this :slight_smile:

On Wednesday, 16 August 2017 14:34:43 UTC+1, an…ny…@ac…ce.com wrote:

Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

``

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elastalert/ca-bundle.pem

b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

``

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: true

``

And then the Elastalert config:

es_host: elastic-master-01.x-x.com
es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem

``

I appreciate this isn’t your software, but I was curious as to if you had any advice?

I will look at doing that tomorrow, it looks like a similar pull request is already in their repo waiting for a merge.

I will check with my boss and then get back to you tomorrow.

Registered Office: Actual Experience plc
Quay House, The Ambury, Bath BA1 1UA,
Registered No. 06838738, VAT No. 971 9696 56

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.

···

On 16 August 2017 at 17:13, Search Guard info@search-guard.com wrote:

Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)

On Wednesday, 16 August 2017 17:36:36 UTC+2, ant…es@ac…nce.com wrote:

It looks like it doesn’t really handle TLS certs / keys, we have modified the elastalert code in order to get around this.

You can close this :slight_smile:

On Wednesday, 16 August 2017 14:34:43 UTC+1, an…ny…@ac…ce.com wrote:

Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

``

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elastalert/ca-bundle.pem

b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

``

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: true

``

And then the Elastalert config:

es_host: elastic-master-01.x-x.com
es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem

``

I appreciate this isn’t your software, but I was curious as to if you had any advice?

You received this message because you are subscribed to a topic in the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Anthony Cleaves

Actual Experience plc

​www.actual-experience.com | @actualexp | LinkedIn

great !, thx

···

Am 16.08.2017 um 18:16 schrieb Anthony Cleaves <anthony.cleaves@actual-experience.com>:

I will look at doing that tomorrow, it looks like a similar pull request is already in their repo waiting for a merge.

I will check with my boss and then get back to you tomorrow.

On 16 August 2017 at 17:13, Search Guard <info@search-guard.com> wrote:
Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)

On Wednesday, 16 August 2017 17:36:36 UTC+2, ant...es@ac...nce.com wrote:
It looks like it doesn't really handle TLS certs / keys, we have modified the elastalert code in order to get around this.

You can close this :slight_smile:

On Wednesday, 16 August 2017 14:34:43 UTC+1, an...ny...@ac...ce.com wrote:
Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

md5sum /etc/elastalert/ca-bundle.pem
b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
    - CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
    - CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
    - CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
    - CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: true

And then the Elastalert config:

es_host: elastic-master-01.x-x.com
es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem

I appreciate this isn't your software, but I was curious as to if you had any advice?

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe\.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com\.

For more options, visit https://groups.google.com/d/optout\.

--
Anthony Cleaves
Actual Experience plc
​www.actual-experience.com | @actualexp | LinkedIn

Registered Office: Actual Experience plc
Quay House, The Ambury, Bath BA1 1UA,
Registered No. 06838738, VAT No. 971 9696 56

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAB-OqLFCxAnAN3pyv7E0fAp1691kfMHLsrvc9wvjQD8k5jDwLg%40mail.gmail.com\.
For more options, visit https://groups.google.com/d/optout\.

No need, they read my mind!

:stuck_out_tongue:

···

On Wednesday, 16 August 2017 17:19:14 UTC+1, Search Guard wrote:

great !, thx

Am 16.08.2017 um 18:16 schrieb Anthony Cleaves anthony...@actual-experience.com:

I will look at doing that tomorrow, it looks like a similar pull request is already in their repo waiting for a merge.

I will check with my boss and then get back to you tomorrow.

On 16 August 2017 at 17:13, Search Guard in...@search-guard.com wrote:

Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)

On Wednesday, 16 August 2017 17:36:36 UTC+2, ant…es@ac…nce.com wrote:

It looks like it doesn’t really handle TLS certs / keys, we have modified the elastalert code in order to get around this.

You can close this :slight_smile:

On Wednesday, 16 August 2017 14:34:43 UTC+1, an…ny…@acce.com wrote:

Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca

javax.net.ssl.SSLException: Received fatal alert: unknown_ca

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

md5sum /etc/elastalert/ca-bundle.pem
b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8

searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem

searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem

searchguard.ssl.transport.pemkey_password: x

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8

searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem

searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem

searchguard.ssl.http.pemkey_password: x

searchguard.authcz.admin_dn:

- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB

searchguard.nodes_dn:

- CN=[elastic-node-01.x-x.com](http://elastic-node-01.x-x.com),OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=[elastic-node-02.x-x.com](http://elastic-node-02.x-x.com),OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.[x-x.com](http://x-x.com),OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com

searchguard.ssl.transport.enforce_hostname_verification: true

And then the Elastalert config:

es_host: elastic-master-01.x-x.com

es_port: 9200

es_username: x

es_password: x

use_ssl: True

verify_certs: True

ca_certs: /etc/elastalert/ca-bundle.pem

I appreciate this isn’t your software, but I was curious as to if you had any advice?


You received this message because you are subscribed to a topic in the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Anthony Cleaves

Actual Experience plc

www.actual-experience.com | @actualexp | LinkedIn

Registered Office: Actual Experience plc

Quay House, The Ambury, Bath BA1 1UA,

Registered No. 06838738, VAT No. 971 9696 56

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAB-OqLFCxAnAN3pyv7E0fAp1691kfMHLsrvc9wvjQD8k5jDwLg%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

:slight_smile:

···

Am 16.08.2017 um 20:38 schrieb anthony.cleaves@actual-experience.com:

No need, they read my mind!

Added support for ca_certs and client_cert by Qmando · Pull Request #1289 · Yelp/elastalert · GitHub

:stuck_out_tongue:

On Wednesday, 16 August 2017 17:19:14 UTC+1, Search Guard wrote:
great !, thx

> Am 16.08.2017 um 18:16 schrieb Anthony Cleaves <anthony...@actual-experience.com>:
>
> I will look at doing that tomorrow, it looks like a similar pull request is already in their repo waiting for a merge.
>
> I will check with my boss and then get back to you tomorrow.
>
> On 16 August 2017 at 17:13, Search Guard <in...@search-guard.com> wrote:
> Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)
>
> On Wednesday, 16 August 2017 17:36:36 UTC+2, ant...es@ac...nce.com wrote:
> It looks like it doesn't really handle TLS certs / keys, we have modified the elastalert code in order to get around this.
>
> You can close this :slight_smile:
>
>
> On Wednesday, 16 August 2017 14:34:43 UTC+1, an...ny...@ac...ce.com wrote:
> Hello, I am trying to setup Elastalert, following this guide:
>
> https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md
>
> And am running into an issue:
>
> [2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
> javax.net.ssl.SSLException: Received fatal alert: unknown_ca
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
> at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
> at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
>
>
> Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:
>
> md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
> b72ec81db7ee1831232020df0a807743
>
>
> md5sum /etc/elastalert/ca-bundle.pem
> b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem
>
> The configuration I have inside ES is:
>
> searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
> searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
> searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
> searchguard.ssl.transport.pemkey_password: x
> searchguard.ssl.http.enabled: true
> searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
> searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
> searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
> searchguard.ssl.http.pemkey_password: x
> searchguard.authcz.admin_dn:
> - CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
> searchguard.nodes_dn:
> - CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
> - CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
> - CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
>
>
> network.publish_host: elastic-master-01.x-x.com
> searchguard.ssl.transport.enforce_hostname_verification: true
>
> And then the Elastalert config:
>
> es_host: elastic-master-01.x-x.com
> es_port: 9200
>
>
> es_username: x
> es_password: x
> use_ssl: True
> verify_certs: True
> ca_certs: /etc/elastalert/ca-bundle.pem
>
>
> I appreciate this isn't your software, but I was curious as to if you had any advice?
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe\.
> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com\.
>
> For more options, visit https://groups.google.com/d/optout\.
>
>
>
> --
> Anthony Cleaves
> Actual Experience plc
> ​www.actual-experience.com | @actualexp | LinkedIn
>
> Registered Office: Actual Experience plc
> Quay House, The Ambury, Bath BA1 1UA,
> Registered No. 06838738, VAT No. 971 9696 56
>
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAB-OqLFCxAnAN3pyv7E0fAp1691kfMHLsrvc9wvjQD8k5jDwLg%40mail.gmail.com\.
> For more options, visit https://groups.google.com/d/optout\.

Registered Office: Actual Experience plc
Quay House, The Ambury, Bath BA1 1UA,
Registered No. 06838738, VAT No. 971 9696 56

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4db9b10d-c1ce-440f-a369-816d0885787b%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

You can now update that documentation,

Elastalert now accepts, client cert and key.

The following works with me for searchguard.

es_host: elastic-master-01.x-x.com
es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
client_cert: /etc/elastalert/elastic-admin.pem
client_key: /etc/elastalert/elastic-admin-key.pem
ca_certs: /etc/elastalert/ca-bundle.pem

``

···

On Wednesday, 16 August 2017 20:19:32 UTC+1, Search Guard wrote:

:slight_smile:

Am 16.08.2017 um 20:38 schrieb anthony...@actual-experience.com:

No need, they read my mind!

https://github.com/Yelp/elastalert/pull/1289

:stuck_out_tongue:

On Wednesday, 16 August 2017 17:19:14 UTC+1, Search Guard wrote:

great !, thx

Am 16.08.2017 um 18:16 schrieb Anthony Cleaves anthony...@actual-experience.com:

I will look at doing that tomorrow, it looks like a similar pull request is already in their repo waiting for a merge.

I will check with my boss and then get back to you tomorrow.

On 16 August 2017 at 17:13, Search Guard in...@search-guard.com wrote:
Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)

On Wednesday, 16 August 2017 17:36:36 UTC+2, ant…es@ac…nce.com wrote:
It looks like it doesn’t really handle TLS certs / keys, we have modified the elastalert code in order to get around this.

You can close this :slight_smile:

On Wednesday, 16 August 2017 14:34:43 UTC+1, an…ny…@acce.com wrote:
Hello, I am trying to setup Elastalert, following this guide:

https://github.com/floragunncom/search-guard-docs/blob/master/elastalert.md

And am running into an issue:

[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]

Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:

md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743

md5sum /etc/elastalert/ca-bundle.pem
b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem

The configuration I have inside ES is:

searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB

network.publish_host: elastic-master-01.x-x.com

searchguard.ssl.transport.enforce_hostname_verification: true

And then the Elastalert config:

es_host: elastic-master-01.x-x.com

es_port: 9200

es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem

I appreciate this isn’t your software, but I was curious as to if you had any advice?


You received this message because you are subscribed to a topic in the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Anthony Cleaves
Actual Experience plc
www.actual-experience.com | @actualexp | LinkedIn

Registered Office: Actual Experience plc
Quay House, The Ambury, Bath BA1 1UA,
Registered No. 06838738, VAT No. 971 9696 56

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAB-OqLFCxAnAN3pyv7E0fAp1691kfMHLsrvc9wvjQD8k5jDwLg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Registered Office: Actual Experience plc

Quay House, The Ambury, Bath BA1 1UA,

Registered No. 06838738, VAT No. 971 9696 56

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4db9b10d-c1ce-440f-a369-816d0885787b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.