Error after running initial sgadmin.sh

Sorry for bugging you. I feel like the issue I am encountering is a simple one but cannot figure it out.I feel like I am close though. :slight_smile:

Elasticsearch seems to be happy with the install of Search Guard except when its time to initialize the config via sgadmin.sh. The elastic logs shows the below in trace debugging.

Treat certificate with principal [CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com, CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com] NOT as other node because we it does not matches one of [CN=masterES.example.com,OU=Ops,O=example,DC=example,DC=com]
[2018-06-25T20:13:14,932][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] No subject alternative names (san) found

I cant seem to figure this out. Ive read some posts but those resolutions havent worked in my case.

Can someone lend a hand? I used your nifty tool, sgtlstool.sh, to generate the certs.

If I am missing anything, please let me know and I’ll attach.

Cheers

Attached

output from sgtlsdiag.sh attached for masterES.pem and kirk.pem, output of ls -lah /etc/elasticsearch/config.

elasticsearch.yml

trace elasticsearch.log

  • Search Guard and Elasticsearch version

Search Guard 6.3.0-22.3

Elasticsearch 6.3.0

  • Installed and used enterprise modules, if any

disabled via elasticsearch.yml

searchguard.enterprise_modules_enabled: false

  • JVM version and operating system version

java version “1.8.0_171”
Java™ SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot™ 64-Bit Server VM (build 25.171-b11, mixed mode)

Ubuntu 18.04

  • Search Guard configuration files

attached but Im not sure if that is what is being asked. Please let me know what else to attach and I will do so.

  • Elasticsearch log messages on debug level

attached as elasticsearch.log

  • Other installed Elasticsearch or Kibana plugins, if any

Only plugin is Search Guard.

sgtlsdiag.rtf (6.54 KB)

elasticsearch.yml.rtf (4.43 KB)

elasticsearch.log (442 KB)

The message on trace level is harmless. It just states that the certificate you use is an admin certificate, not a node certificate, which is what you want.

This entry here:

[2018-06-25T20:39:03,389][TRACE][c.f.s.c.AdminDNs ] Is principal CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com an admin cert? true

Shows that the kirk certificate you use is indeed an admin certificate. So everything seems to be fine. Do you experience any errors after executing sgadmin? If so, what are the effects and what is the output of the actual sgadmin call?

···

On Monday, June 25, 2018 at 10:53:55 PM UTC+2, Mateo Novacovici wrote:

Sorry for bugging you. I feel like the issue I am encountering is a simple one but cannot figure it out.I feel like I am close though. :slight_smile:

Elasticsearch seems to be happy with the install of Search Guard except when its time to initialize the config via sgadmin.sh. The elastic logs shows the below in trace debugging.

Treat certificate with principal [CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com, CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com] NOT as other node because we it does not matches one of [CN=masterES.example.com,OU=Ops,O=example,DC=example,DC=com]
[2018-06-25T20:13:14,932][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] No subject alternative names (san) found

I cant seem to figure this out. Ive read some posts but those resolutions havent worked in my case.

Can someone lend a hand? I used your nifty tool, sgtlstool.sh, to generate the certs.

If I am missing anything, please let me know and I’ll attach.

Cheers

Attached

output from sgtlsdiag.sh attached for masterES.pem and kirk.pem, output of ls -lah /etc/elasticsearch/config.

elasticsearch.yml

trace elasticsearch.log

  • Search Guard and Elasticsearch version

Search Guard 6.3.0-22.3

Elasticsearch 6.3.0

  • Installed and used enterprise modules, if any

disabled via elasticsearch.yml

searchguard.enterprise_modules_enabled: false

  • JVM version and operating system version

java version “1.8.0_171”
Java™ SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot™ 64-Bit Server VM (build 25.171-b11, mixed mode)

Ubuntu 18.04

  • Search Guard configuration files

attached but Im not sure if that is what is being asked. Please let me know what else to attach and I will do so.

  • Elasticsearch log messages on debug level

attached as elasticsearch.log

  • Other installed Elasticsearch or Kibana plugins, if any

Only plugin is Search Guard.

Thanks for the reply Jochen,

The trace error only happens when invoking sgadmin.sh. Ive attached the command and stout error from sgadmin.sh.

Thanks for your help.

sgadmin_output.rtf (2.05 KB)

···

On Tuesday, June 26, 2018 at 2:08:12 AM UTC-7, Jochen Kressin wrote:

The message on trace level is harmless. It just states that the certificate you use is an admin certificate, not a node certificate, which is what you want.

This entry here:

[2018-06-25T20:39:03,389][TRACE][c.f.s.c.AdminDNs ] Is principal CN=[kirk.example.com](http://kirk.example.com),OU=Ops,O=example,DC=example,DC=com an admin cert? true

Shows that the kirk certificate you use is indeed an admin certificate. So everything seems to be fine. Do you experience any errors after executing sgadmin? If so, what are the effects and what is the output of the actual sgadmin call?

On Monday, June 25, 2018 at 10:53:55 PM UTC+2, Mateo Novacovici wrote:

Sorry for bugging you. I feel like the issue I am encountering is a simple one but cannot figure it out.I feel like I am close though. :slight_smile:

Elasticsearch seems to be happy with the install of Search Guard except when its time to initialize the config via sgadmin.sh. The elastic logs shows the below in trace debugging.

Treat certificate with principal [CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com, CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com] NOT as other node because we it does not matches one of [CN=masterES.example.com,OU=Ops,O=example,DC=example,DC=com]
[2018-06-25T20:13:14,932][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] No subject alternative names (san) found

I cant seem to figure this out. Ive read some posts but those resolutions havent worked in my case.

Can someone lend a hand? I used your nifty tool, sgtlstool.sh, to generate the certs.

If I am missing anything, please let me know and I’ll attach.

Cheers

Attached

output from sgtlsdiag.sh attached for masterES.pem and kirk.pem, output of ls -lah /etc/elasticsearch/config.

elasticsearch.yml

trace elasticsearch.log

  • Search Guard and Elasticsearch version

Search Guard 6.3.0-22.3

Elasticsearch 6.3.0

  • Installed and used enterprise modules, if any

disabled via elasticsearch.yml

searchguard.enterprise_modules_enabled: false

  • JVM version and operating system version

java version “1.8.0_171”
Java™ SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot™ 64-Bit Server VM (build 25.171-b11, mixed mode)

Ubuntu 18.04

  • Search Guard configuration files

attached but Im not sure if that is what is being asked. Please let me know what else to attach and I will do so.

  • Elasticsearch log messages on debug level

attached as elasticsearch.log

  • Other installed Elasticsearch or Kibana plugins, if any

Only plugin is Search Guard.

→ Do you experience any errors after executing sgadmin? If so, what are the effects and what is the output of the actual sgadmin call?

attached error earlier. The effects are that it appears that sgadmin doesnt complete and the logging repeats this if elasticsearch is running.

[2018-06-26T02:05:01,156][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

···

On Monday, June 25, 2018 at 1:53:55 PM UTC-7, Mateo Novacovici wrote

Sorry for bugging you. I feel like the issue I am encountering is a simple one but cannot figure it out.I feel like I am close though. :slight_smile:

Elasticsearch seems to be happy with the install of Search Guard except when its time to initialize the config via sgadmin.sh. The elastic logs shows the below in trace debugging.

Treat certificate with principal [CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com, CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com] NOT as other node because we it does not matches one of [CN=masterES.example.com,OU=Ops,O=example,DC=example,DC=com]
[2018-06-25T20:13:14,932][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] No subject alternative names (san) found

I cant seem to figure this out. Ive read some posts but those resolutions havent worked in my case.

Can someone lend a hand? I used your nifty tool, sgtlstool.sh, to generate the certs.

If I am missing anything, please let me know and I’ll attach.

Cheers

Attached

output from sgtlsdiag.sh attached for masterES.pem and kirk.pem, output of ls -lah /etc/elasticsearch/config.

elasticsearch.yml

trace elasticsearch.log

  • Search Guard and Elasticsearch version

Search Guard 6.3.0-22.3

Elasticsearch 6.3.0

  • Installed and used enterprise modules, if any

disabled via elasticsearch.yml

searchguard.enterprise_modules_enabled: false

  • JVM version and operating system version

java version “1.8.0_171”
Java™ SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot™ 64-Bit Server VM (build 25.171-b11, mixed mode)

Ubuntu 18.04

  • Search Guard configuration files

attached but Im not sure if that is what is being asked. Please let me know what else to attach and I will do so.

  • Elasticsearch log messages on debug level

attached as elasticsearch.log

  • Other installed Elasticsearch or Kibana plugins, if any

Only plugin is Search Guard.

I think you are missing the clustername in your sgadmin call, could that be?

Either set the clustername explicitely via the -cn option, or tell SG to ingnore the clustername by setting the -icl option.

If this does not help, please try to issue a “whoami” via sagdmin. For that instead of providing the location of the configs with the -cd option, use -w. This should print some information about the used admin certificate.

···

On Tuesday, June 26, 2018 at 12:31:04 PM UTC+2, Mateo Novacovici wrote:

→ Do you experience any errors after executing sgadmin? If so, what are the effects and what is the output of the actual sgadmin call?

attached error earlier. The effects are that it appears that sgadmin doesnt complete and the logging repeats this if elasticsearch is running.

[2018-06-26T02:05:01,156][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

On Monday, June 25, 2018 at 1:53:55 PM UTC-7, Mateo Novacovici wrote

Sorry for bugging you. I feel like the issue I am encountering is a simple one but cannot figure it out.I feel like I am close though. :slight_smile:

Elasticsearch seems to be happy with the install of Search Guard except when its time to initialize the config via sgadmin.sh. The elastic logs shows the below in trace debugging.

Treat certificate with principal [CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com, CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com] NOT as other node because we it does not matches one of [CN=masterES.example.com,OU=Ops,O=example,DC=example,DC=com]
[2018-06-25T20:13:14,932][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] No subject alternative names (san) found

I cant seem to figure this out. Ive read some posts but those resolutions havent worked in my case.

Can someone lend a hand? I used your nifty tool, sgtlstool.sh, to generate the certs.

If I am missing anything, please let me know and I’ll attach.

Cheers

Attached

output from sgtlsdiag.sh attached for masterES.pem and kirk.pem, output of ls -lah /etc/elasticsearch/config.

elasticsearch.yml

trace elasticsearch.log

  • Search Guard and Elasticsearch version

Search Guard 6.3.0-22.3

Elasticsearch 6.3.0

  • Installed and used enterprise modules, if any

disabled via elasticsearch.yml

searchguard.enterprise_modules_enabled: false

  • JVM version and operating system version

java version “1.8.0_171”
Java™ SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot™ 64-Bit Server VM (build 25.171-b11, mixed mode)

Ubuntu 18.04

  • Search Guard configuration files

attached but Im not sure if that is what is being asked. Please let me know what else to attach and I will do so.

  • Elasticsearch log messages on debug level

attached as elasticsearch.log

  • Other installed Elasticsearch or Kibana plugins, if any

Only plugin is Search Guard.

You wizard. :slight_smile:

That was it. I added the cluster name parameter to the sgadmin one liner and it worked. Thank you Thank you.

···

On Tuesday, June 26, 2018 at 3:34:56 AM UTC-7, Jochen Kressin wrote:

I think you are missing the clustername in your sgadmin call, could that be?

Either set the clustername explicitely via the -cn option, or tell SG to ingnore the clustername by setting the -icl option.

If this does not help, please try to issue a “whoami” via sagdmin. For that instead of providing the location of the configs with the -cd option, use -w. This should print some information about the used admin certificate.

On Tuesday, June 26, 2018 at 12:31:04 PM UTC+2, Mateo Novacovici wrote:

→ Do you experience any errors after executing sgadmin? If so, what are the effects and what is the output of the actual sgadmin call?

attached error earlier. The effects are that it appears that sgadmin doesnt complete and the logging repeats this if elasticsearch is running.

[2018-06-26T02:05:01,156][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)

On Monday, June 25, 2018 at 1:53:55 PM UTC-7, Mateo Novacovici wrote

Sorry for bugging you. I feel like the issue I am encountering is a simple one but cannot figure it out.I feel like I am close though. :slight_smile:

Elasticsearch seems to be happy with the install of Search Guard except when its time to initialize the config via sgadmin.sh. The elastic logs shows the below in trace debugging.

Treat certificate with principal [CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com, CN=kirk.example.com,OU=Ops,O=example,DC=example,DC=com] NOT as other node because we it does not matches one of [CN=masterES.example.com,OU=Ops,O=example,DC=example,DC=com]
[2018-06-25T20:13:14,932][TRACE][c.f.s.t.DefaultInterClusterRequestEvaluator] No subject alternative names (san) found

I cant seem to figure this out. Ive read some posts but those resolutions havent worked in my case.

Can someone lend a hand? I used your nifty tool, sgtlstool.sh, to generate the certs.

If I am missing anything, please let me know and I’ll attach.

Cheers

Attached

output from sgtlsdiag.sh attached for masterES.pem and kirk.pem, output of ls -lah /etc/elasticsearch/config.

elasticsearch.yml

trace elasticsearch.log

  • Search Guard and Elasticsearch version

Search Guard 6.3.0-22.3

Elasticsearch 6.3.0

  • Installed and used enterprise modules, if any

disabled via elasticsearch.yml

searchguard.enterprise_modules_enabled: false

  • JVM version and operating system version

java version “1.8.0_171”
Java™ SE Runtime Environment (build 1.8.0_171-b11)
Java HotSpot™ 64-Bit Server VM (build 25.171-b11, mixed mode)

Ubuntu 18.04

  • Search Guard configuration files

attached but Im not sure if that is what is being asked. Please let me know what else to attach and I will do so.

  • Elasticsearch log messages on debug level

attached as elasticsearch.log

  • Other installed Elasticsearch or Kibana plugins, if any

Only plugin is Search Guard.