Elasticsearch SearchGuard certificates showing as not secure

Search Guard
1

Hi All,

I have installed Search Guard 5.5.2-16 version & Elasticsearch 5.5.2 version in ubuntu machine. The JVM version is Java 1.8.0_144 and I have used the offline TLS tool to generate the certificates and I successfully generated the files by using the TLS tool. Below is my searchguard config changes in elasticsearch.yml file,

searchguard.ssl.transport.pemcert_filepath: /etc/elasticsearch/out/Demo_node.pem
searchguard.ssl.transport.pemkey_filepath: /etc/elasticsearch/out/Demo_node.key
searchguard.ssl.transport.pemkey_password: PgDFRSlCLVE3
searchguard.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/out/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: /etc/elasticsearch/out/Demo_node_http.pem

searchguard.ssl.http.pemkey_filepath: /etc/elasticsearch/out/Demo_node_http.key
searchguard.ssl.http.pemkey_password: tVXcQnG1SLOM
searchguard.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/out/root-ca.pem
searchguard.nodes_dn:

  • CN=Demo,OU=SMT,O=Demoserver, Inc.,DC=demoserver,DC=smt-demoserver
    searchguard.authcz.admin_dn:
  • CN=admin.demo.com,OU=SMT,O=demo, Inc.,DC=admin,DC=es-admin

``

After initialized the searchguard I can able to login to the Elasticsearch cluster with the credentials, But when I checked the browser it was showing as “not secure” since the certificate is valid for the 10 years of time but I am not able to understand why it’s showing not secure.

Please kindly help me to resolve the issue.

Attached the screenshot for reference.

Regards,
Ganeshbabu R

819×460 7.81 KB

889×384 9 KB

2

The reason is that all certificates not signed by CA that is trusted implicitly by your browser are deemed insecure. In other words:

Every browser has a preinstalled list of CAs that it automatically trusts. These are CAs like Thawte, Globalsign, Comodo etc. If the certificate you use is not signed by one these CAs, the browser will display a warning.

The certificates that you generate when using the TLS tool (or the online certificate generator) are self-signed, i.e. not signed by one of the said well known and preinstalled CAs. That’s why the browser displays the warning.

If you want to get rid of the browser warning you need to either

  • get a certificate of one of the preinstalled CAs (Let’s Encrypt will work for HTTPS and does not cost anything)

  • import the root-ca that the TLS tool generates as trusted CA into your browser

···

On Monday, May 14, 2018 at 12:02:02 PM UTC+2, Ganesh Babu wrote:

Hi All,

I have installed Search Guard 5.5.2-16 version & Elasticsearch 5.5.2 version in ubuntu machine. The JVM version is Java 1.8.0_144 and I have used the offline TLS tool to generate the certificates and I successfully generated the files by using the TLS tool. Below is my searchguard config changes in elasticsearch.yml file,

searchguard.ssl.transport.pemcert_filepath: /etc/elasticsearch/out/Demo_node.pem
searchguard.ssl.transport.pemkey_filepath: /etc/elasticsearch/out/Demo_node.key
searchguard.ssl.transport.pemkey_password: PgDFRSlCLVE3
searchguard.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/out/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: /etc/elasticsearch/out/Demo_node_http.pem

searchguard.ssl.http.pemkey_filepath: /etc/elasticsearch/out/Demo_node_http.key
searchguard.ssl.http.pemkey_password: tVXcQnG1SLOM
searchguard.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/out/root-ca.pem
searchguard.nodes_dn:

  • CN=Demo,OU=SMT,O=Demoserver, Inc.,DC=demoserver,DC=smt-demoserver
    searchguard.authcz.admin_dn:
  • CN=admin.demo.com,OU=SMT,O=demo, Inc.,DC=admin,DC=es-admin

``

After initialized the searchguard I can able to login to the Elasticsearch cluster with the credentials, But when I checked the browser it was showing as “not secure” since the certificate is valid for the 10 years of time but I am not able to understand why it’s showing not secure.

Please kindly help me to resolve the issue.

Attached the screenshot for reference.

Regards,
Ganeshbabu R

3

Thanks for sharing the inputs.

I am trying your suggestions and let you know the feedback !!!

···

On Tuesday, May 15, 2018 at 3:04:54 AM UTC+5:30, Jochen Kressin wrote:

The reason is that all certificates not signed by CA that is trusted implicitly by your browser are deemed insecure. In other words:

Every browser has a preinstalled list of CAs that it automatically trusts. These are CAs like Thawte, Globalsign, Comodo etc. If the certificate you use is not signed by one these CAs, the browser will display a warning.

The certificates that you generate when using the TLS tool (or the online certificate generator) are self-signed, i.e. not signed by one of the said well known and preinstalled CAs. That’s why the browser displays the warning.

If you want to get rid of the browser warning you need to either

  • get a certificate of one of the preinstalled CAs (Let’s Encrypt will work for HTTPS and does not cost anything)
  • import the root-ca that the TLS tool generates as trusted CA into your browser

On Monday, May 14, 2018 at 12:02:02 PM UTC+2, Ganesh Babu wrote:

Hi All,

I have installed Search Guard 5.5.2-16 version & Elasticsearch 5.5.2 version in ubuntu machine. The JVM version is Java 1.8.0_144 and I have used the offline TLS tool to generate the certificates and I successfully generated the files by using the TLS tool. Below is my searchguard config changes in elasticsearch.yml file,

searchguard.ssl.transport.pemcert_filepath: /etc/elasticsearch/out/Demo_node.pem
searchguard.ssl.transport.pemkey_filepath: /etc/elasticsearch/out/Demo_node.key
searchguard.ssl.transport.pemkey_password: PgDFRSlCLVE3
searchguard.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/out/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: /etc/elasticsearch/out/Demo_node_http.pem

searchguard.ssl.http.pemkey_filepath: /etc/elasticsearch/out/Demo_node_http.key
searchguard.ssl.http.pemkey_password: tVXcQnG1SLOM
searchguard.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/out/root-ca.pem
searchguard.nodes_dn:

  • CN=Demo,OU=SMT,O=Demoserver, Inc.,DC=demoserver,DC=smt-demoserver
    searchguard.authcz.admin_dn:
  • CN=admin.demo.com,OU=SMT,O=demo, Inc.,DC=admin,DC=es-admin

``

After initialized the searchguard I can able to login to the Elasticsearch cluster with the credentials, But when I checked the browser it was showing as “not secure” since the certificate is valid for the 10 years of time but I am not able to understand why it’s showing not secure.

Please kindly help me to resolve the issue.

Attached the screenshot for reference.

Regards,
Ganeshbabu R