ERR: You try to connect with a ssl node certificate instead of an admin client certificate

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

Any help ?

···

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

I can only tell you what’s already in the error message, I think it’s quite clear:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate

···

On Thursday, March 29, 2018 at 10:52:04 AM UTC+2, priyadarshi bal wrote:

Any help ?

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

This means you have used a node certificate (e.g. in node-0-keystore.jks) and not the configured admin certificate (CN=admin,OU=SSL,O=Test,L=Test,C=DE) when using sgadmin. Node certificates are for inter-node communication only.

I have created the new certificate and run with sgadmin.sh and no error .

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/admin-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv -icl -h 127.0.0.1 -port 9740

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

But still error in elastic search

[2018-03-29T07:58:21,479][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Can you please help me

Thanks

Ashok

···

On Thursday, March 29, 2018 at 5:26:48 PM UTC+5:30, Jochen Kressin wrote:

I can only tell you what’s already in the error message, I think it’s quite clear:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate

On Thursday, March 29, 2018 at 10:52:04 AM UTC+2, priyadarshi bal wrote:

Any help ?

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

This means you have used a node certificate (e.g. in node-0-keystore.jks) and not the configured admin certificate (CN=admin,OU=SSL,O=Test,L=Test,C=DE) when using sgadmin. Node certificates are for inter-node communication only.

When does the second error happen? It seems unrelated to the sgadmin call since the config is updated ok.

“certificate unknown” usually means that the certificate, probably a node certificate, cannot be validated against the root CA in the truststore.

Please make sure you have checked your certificates and certificate content by following the steps here:

https://docs.search-guard.com/latest/troubleshooting-tls

···

On Thursday, March 29, 2018 at 2:00:55 PM UTC+2, priyadarshi bal wrote:

I have created the new certificate and run with sgadmin.sh and no error .

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/admin-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv -icl -h 127.0.0.1 -port 9740

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

But still error in elastic search

[2018-03-29T07:58:21,479][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Can you please help me

Thanks

Ashok

On Thursday, March 29, 2018 at 5:26:48 PM UTC+5:30, Jochen Kressin wrote:

I can only tell you what’s already in the error message, I think it’s quite clear:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate

On Thursday, March 29, 2018 at 10:52:04 AM UTC+2, priyadarshi bal wrote:

Any help ?

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

This means you have used a node certificate (e.g. in node-0-keystore.jks) and not the configured admin certificate (CN=admin,OU=SSL,O=Test,L=Test,C=DE) when using sgadmin. Node certificates are for inter-node communication only.

I have changed the keystore.jks with new ip-address but still no luck.Can you please check , if there is any issue with keystore

keytool -list -v -keystore node-0-keystore.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: node-0

Creation date: Mar 29, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE

Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

#6: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: node-0.example.com

DNSName: localhost

IPAddress: 127.0.0.1

OIDName: 1.2.3.4.5.5

]

keytool -list -v -keystore /etc/elasticsearch/admin-keystore.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: admin

Creation date: Mar 29, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=admin, OU=client, O=client, L=Test, C=DE

Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

Serial number: c

Valid from: Thu Mar 29 03:32:50 EDT 2018 until: Sat Mar 28 03:32:50 EDT 2020

···

On Thursday, March 29, 2018 at 6:54:31 PM UTC+5:30, Jochen Kressin wrote:

When does the second error happen? It seems unrelated to the sgadmin call since the config is updated ok.

“certificate unknown” usually means that the certificate, probably a node certificate, cannot be validated against the root CA in the truststore.

Please make sure you have checked your certificates and certificate content by following the steps here:

https://docs.search-guard.com/latest/troubleshooting-tls

On Thursday, March 29, 2018 at 2:00:55 PM UTC+2, priyadarshi bal wrote:

I have created the new certificate and run with sgadmin.sh and no error .

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/admin-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv -icl -h 127.0.0.1 -port 9740

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

But still error in elastic search

[2018-03-29T07:58:21,479][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Can you please help me

Thanks

Ashok

On Thursday, March 29, 2018 at 5:26:48 PM UTC+5:30, Jochen Kressin wrote:

I can only tell you what’s already in the error message, I think it’s quite clear:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate

On Thursday, March 29, 2018 at 10:52:04 AM UTC+2, priyadarshi bal wrote:

Any help ?

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

This means you have used a node certificate (e.g. in node-0-keystore.jks) and not the configured admin certificate (CN=admin,OU=SSL,O=Test,L=Test,C=DE) when using sgadmin. Node certificates are for inter-node communication only.

What is the content of your truststore? Especially: Where did you put the signing CA “CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com”?

···

On Friday, March 30, 2018 at 8:03:26 AM UTC+2, priyadarshi bal wrote:

I have changed the keystore.jks with new ip-address but still no luck.Can you please check , if there is any issue with keystore

keytool -list -v -keystore node-0-keystore.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: node-0

Creation date: Mar 29, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE

Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

#6: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: node-0.example.com

DNSName: localhost

IPAddress: 127.0.0.1

OIDName: 1.2.3.4.5.5

]

keytool -list -v -keystore /etc/elasticsearch/admin-keystore.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: admin

Creation date: Mar 29, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=admin, OU=client, O=client, L=Test, C=DE

Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

Serial number: c

Valid from: Thu Mar 29 03:32:50 EDT 2018 until: Sat Mar 28 03:32:50 EDT 2020

On Thursday, March 29, 2018 at 6:54:31 PM UTC+5:30, Jochen Kressin wrote:

When does the second error happen? It seems unrelated to the sgadmin call since the config is updated ok.

“certificate unknown” usually means that the certificate, probably a node certificate, cannot be validated against the root CA in the truststore.

Please make sure you have checked your certificates and certificate content by following the steps here:

https://docs.search-guard.com/latest/troubleshooting-tls

On Thursday, March 29, 2018 at 2:00:55 PM UTC+2, priyadarshi bal wrote:

I have created the new certificate and run with sgadmin.sh and no error .

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/admin-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv -icl -h 127.0.0.1 -port 9740

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

But still error in elastic search

[2018-03-29T07:58:21,479][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Can you please help me

Thanks

Ashok

On Thursday, March 29, 2018 at 5:26:48 PM UTC+5:30, Jochen Kressin wrote:

I can only tell you what’s already in the error message, I think it’s quite clear:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate

On Thursday, March 29, 2018 at 10:52:04 AM UTC+2, priyadarshi bal wrote:

Any help ?

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

This means you have used a node certificate (e.g. in node-0-keystore.jks) and not the configured admin certificate (CN=admin,OU=SSL,O=Test,L=Test,C=DE) when using sgadmin. Node certificates are for inter-node communication only.

I have fixed it.Looks like configuration issue for generating JKS certificate.

Thanks for giving me time.

···

On Friday, March 30, 2018 at 2:25:52 PM UTC+5:30, Jochen Kressin wrote:

What is the content of your truststore? Especially: Where did you put the signing CA “CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com”?

On Friday, March 30, 2018 at 8:03:26 AM UTC+2, priyadarshi bal wrote:

I have changed the keystore.jks with new ip-address but still no luck.Can you please check , if there is any issue with keystore

keytool -list -v -keystore node-0-keystore.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: node-0

Creation date: Mar 29, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE

Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

#6: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: node-0.example.com

DNSName: localhost

IPAddress: 127.0.0.1

OIDName: 1.2.3.4.5.5

]

keytool -list -v -keystore /etc/elasticsearch/admin-keystore.jks

Enter keystore password:

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

Alias name: admin

Creation date: Mar 29, 2018

Entry type: PrivateKeyEntry

Certificate chain length: 3

Certificate[1]:

Owner: CN=admin, OU=client, O=client, L=Test, C=DE

Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

Serial number: c

Valid from: Thu Mar 29 03:32:50 EDT 2018 until: Sat Mar 28 03:32:50 EDT 2020

On Thursday, March 29, 2018 at 6:54:31 PM UTC+5:30, Jochen Kressin wrote:

When does the second error happen? It seems unrelated to the sgadmin call since the config is updated ok.

“certificate unknown” usually means that the certificate, probably a node certificate, cannot be validated against the root CA in the truststore.

Please make sure you have checked your certificates and certificate content by following the steps here:

https://docs.search-guard.com/latest/troubleshooting-tls

On Thursday, March 29, 2018 at 2:00:55 PM UTC+2, priyadarshi bal wrote:

I have created the new certificate and run with sgadmin.sh and no error .

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/admin-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv -icl -h 127.0.0.1 -port 9740

searchguard index already exists, so we do not need to create one.

Populate config from /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-5/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

But still error in elastic search

[2018-03-29T07:58:21,479][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Can you please help me

Thanks

Ashok

On Thursday, March 29, 2018 at 5:26:48 PM UTC+5:30, Jochen Kressin wrote:

I can only tell you what’s already in the error message, I think it’s quite clear:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate

On Thursday, March 29, 2018 at 10:52:04 AM UTC+2, priyadarshi bal wrote:

Any help ?

On Thursday, March 29, 2018 at 10:43:45 AM UTC+5:30, priyadarshi bal wrote:

I am using ES 5.6.7 and searchgurad 5.6.7-19 .I am getting below error “ERR: You try to connect with a ssl node certificate instead of an admin client certificate” while running with sgadmin.sh

/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-5/sgconfig -ks /etc/elasticsearch/node-0-keystore.jks -kspass xxxxx -ts /etc/elasticsearch/truststore.jks -tspass xxxxxx -nhnv -icl -h localhost -port 9740

And in elasticsearch log file , i am getting below error

[2018-03-29T01:12:10,795][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [127.0.0.1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

please find my elasticsearch.yml details

cluster.name: XXX_sandbox_cluster

node.name: 127.0.0.1

network.host: 127.0.0.1

transport.tcp.port: 9740

http.port: 9640

#discovery.zen.ping.unicast.hosts: [“xxxxxx”]

path.data: /data/elasticsearch

path.logs: /log/elasticsearch

script.engine.groovy.inline.aggs: on

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: XXX

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: XXX

#searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.enabled: true

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: XXX

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: xxxxx

searchguard.authcz.admin_dn:

  • CN=admin,OU=SSL,O=Test,L=Test,C=DE

node.max_local_storage_nodes: 1

Could you please help me on this

Thanks

Ashok

This means you have used a node certificate (e.g. in node-0-keystore.jks) and not the configured admin certificate (CN=admin,OU=SSL,O=Test,L=Test,C=DE) when using sgadmin. Node certificates are for inter-node communication only.