curl: (60) SSL certificate problem: unable to get local issuer certificate

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Try

curl -k -u admin:admin -XGET ‘https://localhost:9200’ (not recommended)

or

curl --cacert root-ca.pem -u admin:admin -XGET ‘https://localhost:9200’ (recommended)

(Note: The http/s port is normally 9200 and not 9300. 9300 is the port where the nodes talsk to each other with a binary TCP based protocol, called transport protocol)

This works - curl --cacert root-ca.pem -u admin:admin -XGET ‘https://localhost:9200

So it works without specifying the cacert do I install it somewhere or change from keystore cert config to pem ?

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Sorry, but i don't understand ...

···

Am 11.12.2018 um 22:02 schrieb patrick@amatc.com.au:

This works - curl --cacert root-ca.pem -u admin:admin -XGET 'https://localhost:9200'

So it works without specifying the cacert do I install it somewhere or change from keystore cert config to pem ?

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:
Elasticsearch - 5.6.13
Search Guard - search-guard-5:5.6.13-19.2
Java - openjdk version "1.8.0_191"
Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8fc51c9f-71f9-4b11-ae0d-110eb3d8b0e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I mean to install the root cert so that the other certs are trusted, I have done this using:

cp root-ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

I still get error for local issuer certificate

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Not sure if curl/php picks up the certs in /usr/local/share/ca-certificates/

Especially curl is tricky, maybe its compiled against NSS. You can check this with curl -V

For php question is the same, guess it depends on against which SSL library it was compiled

But thats not really Search Guard related :wink:

On Tuesday, 11 December 2018 23:17:10 UTC+1:

···

I mean to install the root cert so that the other certs are trusted, I have done this using:

cp root-ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

I still get error for local issuer certificate

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Then how to get trusted certificates for search guard ?

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

If you need "offical" ssl certs you need to buy them (Verisign etc) or use letsencrypt.
But all the SSL stuff is really not Search Guard specific.

···

Am 11.12.2018 um 23:26 schrieb patrick@amatc.com.au:

Then how to get trusted certificates for search guard ?

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:
Elasticsearch - 5.6.13
Search Guard - search-guard-5:5.6.13-19.2
Java - openjdk version "1.8.0_191"
Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c6f033d1-9525-4741-a2d9-522eb819ae66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I think it is because I can’t connect when ssl enabled.

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

I fixed it, I added pem in php.ini under curl.cainfo = /etc/ssl/cacert.pem

I downloaded the https://curl.haxx.se/docs/caextract.html

I added the root-ca.pem created by the certificate generator at the end of the file i downloaded and uploaded it to /etc/ssl/ directory.

:slight_smile:

···

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat…@amatc.com.au wrote:

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version “1.8.0_191”

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300’curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any