DN with a comma seems to trip up search guard

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: 5.4.1

  • Installed and used enterprise modules, if any: none

  • JVM version and operating system version: JVM: 1.8.0, Centos 7.6

  • Other installed Elasticsearch or Kibana plugins, if any: ingest-geoip, ingest-user-agent

I’m trying to install Search Guard. I’m to the point where I run sgadmin.sh --enable-shard-allocation. I get:

WARNING: JAVA_HOME not set, will use /bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpqs, Inc.,L=Washington,ST=District of Columbia,C=US

ERR: EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

Please note that if add the setting exactly as specified, elasticscearch will not start, with the error:

Transport authentication finally failed for EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US from 127.0.0.1:58450

The issue seems to be the comma. If I don’t escape it, elasticsearch starts, but sgadmin.sh complains with the error above.

grep admin_dn /etc/elasticsearch/elasticsearch.yml

searchguard.authcz.admin_dn: [ "EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US" ]

So it’s a catch 22 situation. Any suggestions?

Which exact Search Guard and Elasticsearch version you are running?

You mentioned 5.4.1 but sgadmin reported 6.x?

···

On Thursday, 27 December 2018 22:48:07 UTC+1, Peter K wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: 5.4.1
  • Installed and used enterprise modules, if any: none
  • JVM version and operating system version: JVM: 1.8.0, Centos 7.6
  • Other installed Elasticsearch or Kibana plugins, if any: ingest-geoip, ingest-user-agent

I’m trying to install Search Guard. I’m to the point where I run sgadmin.sh --enable-shard-allocation. I get:

WARNING: JAVA_HOME not set, will use /bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpqs, Inc.,L=Washington,ST=District of Columbia,C=US

ERR: EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

Please note that if add the setting exactly as specified, elasticscearch will not start, with the error:

Transport authentication finally failed for EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US from 127.0.0.1:58450

The issue seems to be the comma. If I don’t escape it, elasticsearch starts, but sgadmin.sh complains with the error above.

grep admin_dn /etc/elasticsearch/elasticsearch.yml

searchguard.authcz.admin_dn: [ "EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US" ]

So it’s a catch 22 situation. Any suggestions?

Ooops… a brainfart… Running 6.5.4, RPM install:

[root@elk02-dev ~]# rpm -q elasticsearch

elasticsearch-6.5.4-1.noarch

···

On Thursday, December 27, 2018 at 4:48:07 PM UTC-5, Peter K wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version: 5.4.1
  • Installed and used enterprise modules, if any: none
  • JVM version and operating system version: JVM: 1.8.0, Centos 7.6
  • Other installed Elasticsearch or Kibana plugins, if any: ingest-geoip, ingest-user-agent

I’m trying to install Search Guard. I’m to the point where I run sgadmin.sh --enable-shard-allocation. I get:

WARNING: JAVA_HOME not set, will use /bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: Cannot authenticate null

Connected as EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpqs, Inc.,L=Washington,ST=District of Columbia,C=US

ERR: EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US is not an admin user

Seems you use a client certificate but this one is not registered as admin_dn

Make sure elasticsearch.yml on all nodes contains:

searchguard.authcz.admin_dn:

Please note that if add the setting exactly as specified, elasticscearch will not start, with the error:

Transport authentication finally failed for EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US from 127.0.0.1:58450

The issue seems to be the comma. If I don’t escape it, elasticsearch starts, but sgadmin.sh complains with the error above.

grep admin_dn /etc/elasticsearch/elasticsearch.yml

searchguard.authcz.admin_dn: [ "EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US" ]

So it’s a catch 22 situation. Any suggestions?

Can you post the output of

  openssl x509 -in admincert.pem -text -noout

and your elasticsearch.yml (as attachment)

···

Am 28.12.2018 um 16:04 schrieb Peter K <graysnow@gmail.com>:

Ooops... a brainfart... Running 6.5.4, RPM install:

[root@elk02-dev ~]# rpm -q elasticsearch
elasticsearch-6.5.4-1.noarch

On Thursday, December 27, 2018 at 4:48:07 PM UTC-5, Peter K wrote:
When asking questions, please provide the following information:

* Search Guard and Elasticsearch version: 5.4.1
* Installed and used enterprise modules, if any: none
* JVM version and operating system version: JVM: 1.8.0, Centos 7.6
* Other installed Elasticsearch or Kibana plugins, if any: ingest-geoip, ingest-user-agent

I'm trying to install Search Guard. I'm to the point where I run sgadmin.sh --enable-shard-allocation. I get:

WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: Cannot authenticate null
Connected as EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpqs\, Inc.,L=Washington,ST=District of Columbia,C=US
ERR: EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq\, Inc.,L=Washington,ST=District of Columbia,C=US is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:
  - "EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq\, Inc.,L=Washington,ST=District of Columbia,C=US"

Please note that if add the setting exactly as specified, elasticscearch will not start, with the error:

Transport authentication finally failed for EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq\, Inc.,L=Washington,ST=District of Columbia,C=US from 127.0.0.1:58450

The issue seems to be the comma. If I don't escape it, elasticsearch starts, but sgadmin.sh complains with the error above.

# grep admin_dn /etc/elasticsearch/elasticsearch.yml
searchguard.authcz.admin_dn: [ "EMAILADDRESS=ishelp@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US" ]

So it's a catch 22 situation. Any suggestions?

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9525bab8-3092-42d1-81bc-824374b205a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.