curl: (60) SSL certificate problem: unable to get local issuer certificate

patrick · December 11, 2018, 1:06pm

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on TLS Certificate Generator - Search Guard as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version
Installed and used enterprise modules, if any
JVM version and operating system version
Search Guard configuration files
Elasticsearch log messages on debug level
Other installed Elasticsearch or Kibana plugins, if any

searchguard_google_group · December 11, 2018, 1:22pm

Try

curl -k -u admin:admin -XGET ‘https://localhost:9200’ (not recommended)

or

curl --cacert root-ca.pem -u admin:admin -XGET ‘https://localhost:9200’ (recommended)

(Note: The http/s port is normally 9200 and not 9300. 9300 is the port where the nodes talsk to each other with a binary TCP based protocol, called transport protocol)

patrick · December 11, 2018, 9:02pm

This works - curl --cacert root-ca.pem -u admin:admin -XGET ‘https://localhost:9200’

So it works without specifying the cacert do I install it somewhere or change from keystore cert config to pem ?

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

Installed and used enterprise modules, if any

JVM version and operating system version

Search Guard configuration files

Elasticsearch log messages on debug level

Other installed Elasticsearch or Kibana plugins, if any

searchguard_google_group · December 11, 2018, 10:07pm

Sorry, but i don't understand ...

···

Am 11.12.2018 um 22:02 schrieb patrick@amatc.com.au:

This works - curl --cacert root-ca.pem -u admin:admin -XGET 'https://localhost:9200'

So it works without specifying the cacert do I install it somewhere or change from keystore cert config to pem ?

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:
Elasticsearch - 5.6.13
Search Guard - search-guard-5:5.6.13-19.2
Java - openjdk version "1.8.0_191"
Ubuntu 18.04

Certificates created on TLS Certificate Generator - Search Guard as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8fc51c9f-71f9-4b11-ae0d-110eb3d8b0e5%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

patrick · December 11, 2018, 10:17pm

I mean to install the root cert so that the other certs are trusted, I have done this using:

cp root-ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

I still get error for local issuer certificate

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

Installed and used enterprise modules, if any

JVM version and operating system version

Search Guard configuration files

Elasticsearch log messages on debug level

Other installed Elasticsearch or Kibana plugins, if any

searchguard_google_group · December 11, 2018, 10:21pm

Not sure if curl/php picks up the certs in /usr/local/share/ca-certificates/

Especially curl is tricky, maybe its compiled against NSS. You can check this with curl -V

For php question is the same, guess it depends on against which SSL library it was compiled

But thats not really Search Guard related

On Tuesday, 11 December 2018 23:17:10 UTC+1:

···

I mean to install the root cert so that the other certs are trusted, I have done this using:

cp root-ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

I still get error for local issuer certificate

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

Installed and used enterprise modules, if any

JVM version and operating system version

Search Guard configuration files

Elasticsearch log messages on debug level

Other installed Elasticsearch or Kibana plugins, if any

patrick · December 11, 2018, 10:26pm

Then how to get trusted certificates for search guard ?

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

Installed and used enterprise modules, if any

JVM version and operating system version

Search Guard configuration files

Elasticsearch log messages on debug level

Other installed Elasticsearch or Kibana plugins, if any

searchguard_google_group · December 11, 2018, 10:37pm

If you need "offical" ssl certs you need to buy them (Verisign etc) or use letsencrypt.
But all the SSL stuff is really not Search Guard specific.

···

Am 11.12.2018 um 23:26 schrieb patrick@amatc.com.au:

Then how to get trusted certificates for search guard ?

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:
Elasticsearch - 5.6.13
Search Guard - search-guard-5:5.6.13-19.2
Java - openjdk version "1.8.0_191"
Ubuntu 18.04

Certificates created on TLS Certificate Generator - Search Guard as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c6f033d1-9525-4741-a2d9-522eb819ae66%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

patrick · December 11, 2018, 10:42pm

I think it is because I can’t connect when ssl enabled.

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

Installed and used enterprise modules, if any

JVM version and operating system version

Search Guard configuration files

Elasticsearch log messages on debug level

Other installed Elasticsearch or Kibana plugins, if any

patrick · December 11, 2018, 10:48pm

I fixed it, I added pem in php.ini under curl.cainfo = /etc/ssl/cacert.pem

I downloaded the curl - Extract CA Certs from Mozilla

I added the root-ca.pem created by the certificate generator at the end of the file i downloaded and uploaded it to /etc/ssl/ directory.

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

Search Guard and Elasticsearch version

Installed and used enterprise modules, if any

JVM version and operating system version

Search Guard configuration files

Elasticsearch log messages on debug level

Other installed Elasticsearch or Kibana plugins, if any

Topic		Replies	Views
Something wrong with certificates? (Kibana plugin) Search Guard	1	1165	May 10, 2018
Certificate issue when deploying last release ELK + Search Guard Search Guard	4	2153	January 17, 2019
ERR: You try to connect with a ssl node certificate instead of an admin client certificate Search Guard	7	534	April 4, 2018
certificate unknown error Search Guard	13	4137	November 24, 2017
NoNodeAvailableException: None of the configured nodes are available Search Guard	3	2185	November 16, 2019

curl: (60) SSL certificate problem: unable to get local issuer certificate

Related topics