Empty file path for searchguard.ssl.transport.pemkey_filepath

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

SG=6.5.1-24.1

ES=6.5.1

  • JVM version and operating system version

JVM=1.8.0_162

OS=Ubuntu 18.04.1 LTS

  • Search Guard configuration files

from elastisearch.yml

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: raAtcE0mTfuk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

“elasticsearch.yml” 115L, 4129C

  • Elasticsearch log messages on debug level

[c.f.s.a.BackendRegistry ] [es-encr-001] Not yet initialized (you may need to run sgadmin)

Hello,
I followed the document for installing SG - https://docs.search-guard.com/latest/search-guard-installation
I have an ES cluster from 3 nodes, generated all the certificates using your TLS tool , and did everything step by step according to the doc.

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

Trace:

java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607)

at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:112)

at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:108)

at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:133)

at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:273)

at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:890)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:445)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Caused by: java.lang.reflect.InvocationTargetException

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)

at java.lang.reflect.Constructor.newInstance(Constructor.java:423)

at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598)

... 7 more

Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:800)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:210)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:327)

at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:151)

at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193)

at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:212)

... 12 more

It says that “Empty file path for searchguard.ssl.transport.pemkey_filepath”, but I do use the -keypass inside the command.

Now, when I want to initialize the SG, I run the next command -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername

And receiving the following error -

Can you advice please?

Thanks,

Aleksei

Your command should look like

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem

You are missing the "-key" argument which must point to the file where the key for your cert is stored. This is named similar to kirk.key.pem or kirk.key.

···

Am 04.03.2019 um 07:13 schrieb Aleksei Saiko <aleksei.saiko@gmail.com>:

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
SG=6.5.1-24.1
ES=6.5.1

* JVM version and operating system version
JVM=1.8.0_162
OS=Ubuntu 18.04.1 LTS

* Search Guard configuration files
from elastisearch.yml
searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
searchguard.ssl.transport.pemkey_password: aqTmoD7aBrpX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
searchguard.ssl.http.pemkey_password: raAtcE0mTfuk
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=es-encr-001.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
- CN=es-necr-002.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
- CN=es-necr-003.XXXX.com,OU=IL,O=Pipl Com\, Inc.,DC=XXXX,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.XXXX.com,OU=IL,O=XXXX Com\, Inc.,DC=XXXX,DC=com
"elasticsearch.yml" 115L, 4129C

* Elasticsearch log messages on debug level
[c.f.s.a.BackendRegistry ] [es-encr-001] Not yet initialized (you may need to run sgadmin)

Hello,
I followed the document for installing SG - https://docs.search-guard.com/latest/search-guard-installation
I have an ES cluster from 3 nodes, generated all the certificates using your TLS tool , and did everything step by step according to the doc.

Now, when I want to initialize the SG, I run the next command -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername

And receiving the following error -
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
  at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:607)
  at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:112)
  at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:108)
  at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:133)
  at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:273)
  at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:890)
  at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:445)
  at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
  at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598)
  ... 7 more
Caused by: ElasticsearchException[Empty file path for searchguard.ssl.transport.pemkey_filepath]
  at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.checkPath(DefaultSearchGuardKeyStore.java:800)
  at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.resolve(DefaultSearchGuardKeyStore.java:210)
  at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:327)
  at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:151)
  at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193)
  at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:212)
  ... 12 more

It says that "Empty file path for searchguard.ssl.transport.pemkey_filepath", but I do use the -keypass inside the command.

Can you advice please?

Thanks,

Aleksei

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/69578e4a-3faa-4ae5-8d77-d6b341326f9b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

The keypass password, I take from client-certificates.readme file in ‘out’ folder.

When running the updated command, I receive this error -

root@es-encr-001:config# /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]

13:40:56.895 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_162]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:1.8.0_162]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:1.8.0_162]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:1.8.0_162]

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:1.8.0_162]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:1.8.0_162]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_162]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_162]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Once again, the added conf for elasticsearch.yml is

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: jyQKPd3weIsd

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: L9Fl1UHRbhGk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

“elasticsearch.yml” 114L, 4128C

Your command should look like

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem

Ok, I added it to command, now it looks like this -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key

Can you provide the yml config you used to create the certificates with the TLS tool? Or how did you use the online TLS certificate generator?

···

Am 05.03.2019 um 05:47 schrieb Aleksei Saiko <aleksei.saiko@gmail.com>:

Ok, I added it to command, now it looks like this -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key

The keypass password, I take from client-certificates.readme file in 'out' folder.

When running the updated command, I receive this error -

root@es-encr-001:config# /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]
13:40:56.895 [elasticsearch[_client_][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_162]
  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:1.8.0_162]
  at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:1.8.0_162]
  at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:1.8.0_162]
  at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:1.8.0_162]
  at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:1.8.0_162]
  at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_162]
  at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_162]
  at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
  at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]
  at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]]
  at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)
  at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)
  at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
  at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)
  at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)
  at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)
  at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)
  at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Once again, the added conf for elasticsearch.yml is

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem
searchguard.ssl.transport.pemkey_filepath: es-encr-001.key
searchguard.ssl.transport.pemkey_password: jyQKPd3weIsd
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem
searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key
searchguard.ssl.http.pemkey_password: L9Fl1UHRbhGk
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.nodes_dn:
- CN=es-encr-001.xxxx.com,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
- CN=es-encr-002.xxxx.com,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
- CN=es-encr-003.xxxxcom,OU=IL,O=Pipl Com\, Inc.,DC=xxxx,DC=com
searchguard.authcz.admin_dn:
- CN=kirk.xxxx.com,OU=IL,O=xxxx Com\, Inc.,DC=xxxx,DC=com
"elasticsearch.yml" 114L, 4128C

Your command should look like

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f3645ce9-7a8e-4b21-ad80-4827a71c780c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hey,
I made another ES test cluster of 3 nodes, installed new version of ES (6.6.1) , Kibana and SG (all last versions), and everything seems working.
Maybe it’s something that has to do with versions…

Anyhow, I will try to do the same on my non test cluster, and if I will experience any problems, will open a thread.

Also, I have a last question.

After the SG been installed, to use Cerebro for example, I need to authenticate myself now of course.

If Kirk user is an admin, I need to login as Kirk with it’s password? Because it doesn’t work.

Thanks!

···

вторник, 5 марта 2019 г., 19:27:00 UTC+2 пользователь Search Guard написал:

Can you provide the yml config you used to create the certificates with the TLS tool? Or how did you use the online TLS certificate generator?

Am 05.03.2019 um 05:47 schrieb Aleksei Saiko alekse...@gmail.com:

Ok, I added it to command, now it looks like this -
/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key

The keypass password, I take from client-certificates.readme file in ‘out’ folder.

When running the updated command, I receive this error -

root@es-encr-001:config# /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh --enable-shard-allocation -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass dyrhL6JDgdum --ignore-clustername -key /etc/elasticsearch/kirk.key

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]

13:40:56.895 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.8.0_162]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:1.8.0_162]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:1.8.0_162]
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:1.8.0_162]
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:1.8.0_162]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:1.8.0_162]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_162]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_162]
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_162]

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{cfY_0zZ0R9O7nmknW1l5Mg}{localhost}{127.0.0.1:9300}]]

    at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:349)
    at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:247)
    at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
    at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:382)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:395)
    at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:384)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:454)
    at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Once again, the added conf for elasticsearch.yml is

searchguard.ssl.transport.pemcert_filepath: es-encr-001.pem

searchguard.ssl.transport.pemkey_filepath: es-encr-001.key

searchguard.ssl.transport.pemkey_password: jyQKPd3weIsd

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.pemcert_filepath: es-encr-001_http.pem

searchguard.ssl.http.pemkey_filepath: es-encr-001_http.key

searchguard.ssl.http.pemkey_password: L9Fl1UHRbhGk

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

  • CN=es-encr-003.xxxxcom,OU=IL,O=Pipl Com, Inc.,DC=xxxx,DC=com

searchguard.authcz.admin_dn:

“elasticsearch.yml” 114L, 4128C

Your command should look like

/usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-6/sgconfig/ -icl -nhnv -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/kirk.pem -keypass aqTmoD7aBrpX --ignore-clustername -key /etc/elasticsearch/kirk.key.pem


You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f3645ce9-7a8e-4b21-ad80-4827a71c780c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.