[ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

Hi,

  • Search Guard and Elasticsearch version 5.6.2

  • Installed and used enterprise modules, if any

  • JVM version and operating system version 1.8

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins: none

On two nodes cluster, I am trying SearchGuard by running sgadmin.

./plugins/search-guard-5/tools/sgadmin.sh -cd …/sgconfig/sg_config.yml -nhnv -accept-red-cluster -cacert /root/ca/certs/ca.crt.pem -cert /root/u50565.pem -key /root/u50565.pk8 -port 9301 -host s2s005ge.hu.srv.acc.sys -cn new-act-elastic -diagnose

I got the following:

[2017-11-17T14:05:33,407][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2017-11-17T14:05:33,469][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
[2017-11-17T14:05:33,470][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
[2017-11-17T14:05:33,471][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class
[2017-11-17T14:05:33,472][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
[2017-11-17T14:05:33,483][DEBUG][c.f.s.c.AdminDNs ] C=HU,ST=Budapest,O=Sh Shop Zrt,OU=ICT,CN=u50565 is registered as an admin dn
[2017-11-17T14:05:33,485][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN’s [C=HU,ST=Budapest,O=ShShop Zrt,OU=ICT,CN=u50565]
[2017-11-17T14:05:33,486][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN’s {}
[2017-11-17T14:05:33,505][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard
[2017-11-17T14:05:33,508][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@23ad71bf
[2017-11-17T14:05:33,559][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@6518fdfd
[2017-11-17T14:05:33,631][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->6
4kb], pipelining[true], pipelining_max_events[10000]
[2017-11-17T14:05:33,634][INFO ][o.e.d.DiscoveryModule ] [new-elastic-act1] using discovery type [zen]
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] initialized
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] starting …
[2017-11-17T14:05:34,593][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] using profile[default], worker_count[4], port[9301], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connecti
ons_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]
[2017-11-17T14:05:34,601][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] binding server bootstrap to: [10.238.131.23]
[2017-11-17T14:05:34,681][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] Bound profile [default] to address {10.238.131.23:9301}
[2017-11-17T14:05:34,683][INFO ][o.e.t.TransportService ] [new-elastic-act1] publish_address {10.238.131.23:9301}, bound_addresses {10.238.131.23:9301}
[2017-11-17T14:05:34,699][INFO ][o.e.b.BootstrapChecks ] [new-elastic-act1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-11-17T14:05:34,706][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists …
[2017-11-17T14:05:34,719][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [new-elastic-act1] no known master node, scheduling a retry
[2017-11-17T14:05:37,792][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] new_master {new-elastic-act1}{dn6kgzWqTOixX2fwlrgFSQ}{wOGWBKQHTd-ypiqQR1Tu4A}{s2s005ge.hu.srv.acc.sys}{10.238.131.23:9301}, reason: zen-disco-elected-
as-master ([0] nodes joined)
[2017-11-17T14:05:37,832][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] Bound http to address {10.238.131.23:9201}
[2017-11-17T14:05:37,832][INFO ][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] publish_address {10.238.131.23:9201}, bound_addresses {10.238.131.23:9201}
[2017-11-17T14:05:37,833][INFO ][o.e.n.Node ] [new-elastic-act1] started
[2017-11-17T14:05:38,207][INFO ][c.f.s.c.IndexBaseConfigurationRepository] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster
[2017-11-17T14:05:38,207][INFO ][o.e.g.GatewayService ] [new-elastic-act1] recovered [3] indices into cluster_state
[2017-11-17T14:06:22,308][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] connected to node [{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]
[2017-11-17T14:06:22,376][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] added {{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301},}, reason: zen-disco-node-join[
{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]

[2017-11-17T14:06:22,607][WARN ][o.e.d.z.ElectMasterService] [new-elastic-act1] value for setting “discovery.zen.minimum_master_nodes” is too low. This can result in data loss! Please set it to at least a quorum of master-eligibl
e nodes (current value: [1], total number of master-eligible nodes used for publishing in this round: [2])
[2017-11-17T14:07:16,456][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:16,457][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

[2017-11-17T14:07:21,217][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:21,217][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

please post your elasticsearch.yml

···

Am 17.11.2017 um 14:19 schrieb Jozsef Basa <basadzsos@gmail.com>:

Hi,

* Search Guard and Elasticsearch version 5.6.2
* Installed and used enterprise modules, if any
* JVM version and operating system version 1.8
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins: none

On two nodes cluster, I am trying SearchGuard by running sgadmin.

./plugins/search-guard-5/tools/sgadmin.sh -cd ../sgconfig/sg_config.yml -nhnv -accept-red-cluster -cacert /root/ca/certs/ca.crt.pem -cert /root/u50565.pem -key /root/u50565.pk8 -port 9301 -host s2s005ge.hu.srv.acc.sys -cn new-act-elastic -diagnose

I got the following:

[2017-11-17T14:05:33,407][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2017-11-17T14:05:33,469][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
[2017-11-17T14:05:33,470][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
[2017-11-17T14:05:33,471][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class
[2017-11-17T14:05:33,472][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
[2017-11-17T14:05:33,483][DEBUG][c.f.s.c.AdminDNs ] C=HU,ST=Budapest,O=Sh Shop Zrt,OU=ICT,CN=u50565 is registered as an admin dn
[2017-11-17T14:05:33,485][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN's [C=HU,ST=Budapest,O=ShShop Zrt,OU=ICT,CN=u50565]
[2017-11-17T14:05:33,486][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN's {}
[2017-11-17T14:05:33,505][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard
[2017-11-17T14:05:33,508][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@23ad71bf
[2017-11-17T14:05:33,559][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@6518fdfd
[2017-11-17T14:05:33,631][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->6
4kb], pipelining[true], pipelining_max_events[10000]
[2017-11-17T14:05:33,634][INFO ][o.e.d.DiscoveryModule ] [new-elastic-act1] using discovery type [zen]
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] initialized
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] starting ...
[2017-11-17T14:05:34,593][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] using profile[default], worker_count[4], port[9301], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connecti
ons_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]
[2017-11-17T14:05:34,601][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] binding server bootstrap to: [10.238.131.23]
[2017-11-17T14:05:34,681][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] Bound profile [default] to address {10.238.131.23:9301}
[2017-11-17T14:05:34,683][INFO ][o.e.t.TransportService ] [new-elastic-act1] publish_address {10.238.131.23:9301}, bound_addresses {10.238.131.23:9301}
[2017-11-17T14:05:34,699][INFO ][o.e.b.BootstrapChecks ] [new-elastic-act1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-11-17T14:05:34,706][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists ...
[2017-11-17T14:05:34,719][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [new-elastic-act1] no known master node, scheduling a retry
[2017-11-17T14:05:37,792][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] new_master {new-elastic-act1}{dn6kgzWqTOixX2fwlrgFSQ}{wOGWBKQHTd-ypiqQR1Tu4A}{s2s005ge.hu.srv.acc.sys}{10.238.131.23:9301}, reason: zen-disco-elected-
as-master ([0] nodes joined)
[2017-11-17T14:05:37,832][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] Bound http to address {10.238.131.23:9201}
[2017-11-17T14:05:37,832][INFO ][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] publish_address {10.238.131.23:9201}, bound_addresses {10.238.131.23:9201}
[2017-11-17T14:05:37,833][INFO ][o.e.n.Node ] [new-elastic-act1] started
[2017-11-17T14:05:38,207][INFO ][c.f.s.c.IndexBaseConfigurationRepository] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster
[2017-11-17T14:05:38,207][INFO ][o.e.g.GatewayService ] [new-elastic-act1] recovered [3] indices into cluster_state
[2017-11-17T14:06:22,308][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] connected to node [{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]
[2017-11-17T14:06:22,376][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] added {{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301},}, reason: zen-disco-node-join[
{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]
[2017-11-17T14:06:22,607][WARN ][o.e.d.z.ElectMasterService] [new-elastic-act1] value for setting "discovery.zen.minimum_master_nodes" is too low. This can result in data loss! Please set it to at least a quorum of master-eligibl
e nodes (current value: [1], total number of master-eligible nodes used for publishing in this round: [2])
[2017-11-17T14:07:16,456][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:16,457][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null
[2017-11-17T14:07:21,217][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:21,217][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/2a3bbda5-c57f-4cda-8370-1e68ee148146%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hi, finally I found the solution

In elasticsearch.yml I changed searchguard.authcz.admin_dn from

OU=ICT,O=Sh Shop Zrt,C=HU,ST=Budapest,CN=u50565

to this:

CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU

Thanks!!

···

On Friday, November 17, 2017 at 2:19:10 PM UTC+1, Jozsef Basa wrote:

Hi,

  • Search Guard and Elasticsearch version 5.6.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version 1.8
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins: none

On two nodes cluster, I am trying SearchGuard by running sgadmin.

./plugins/search-guard-5/tools/sgadmin.sh -cd …/sgconfig/sg_config.yml -nhnv -accept-red-cluster -cacert /root/ca/certs/ca.crt.pem -cert /root/u50565.pem -key /root/u50565.pk8 -port 9301 -host s2s005ge.hu.srv.acc.sys -cn new-act-elastic -diagnose

I got the following:

[2017-11-17T14:05:33,407][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2017-11-17T14:05:33,469][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
[2017-11-17T14:05:33,470][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
[2017-11-17T14:05:33,471][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class
[2017-11-17T14:05:33,472][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
[2017-11-17T14:05:33,483][DEBUG][c.f.s.c.AdminDNs ] C=HU,ST=Budapest,O=Sh Shop Zrt,OU=ICT,CN=u50565 is registered as an admin dn
[2017-11-17T14:05:33,485][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN’s [C=HU,ST=Budapest,O=ShShop Zrt,OU=ICT,CN=u50565]
[2017-11-17T14:05:33,486][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN’s {}
[2017-11-17T14:05:33,505][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard
[2017-11-17T14:05:33,508][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@23ad71bf
[2017-11-17T14:05:33,559][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@6518fdfd
[2017-11-17T14:05:33,631][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->6
4kb], pipelining[true], pipelining_max_events[10000]
[2017-11-17T14:05:33,634][INFO ][o.e.d.DiscoveryModule ] [new-elastic-act1] using discovery type [zen]
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] initialized
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] starting …
[2017-11-17T14:05:34,593][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] using profile[default], worker_count[4], port[9301], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connecti
ons_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]
[2017-11-17T14:05:34,601][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] binding server bootstrap to: [10.238.131.23]
[2017-11-17T14:05:34,681][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] Bound profile [default] to address {10.238.131.23:9301}
[2017-11-17T14:05:34,683][INFO ][o.e.t.TransportService ] [new-elastic-act1] publish_address {10.238.131.23:9301}, bound_addresses {10.238.131.23:9301}
[2017-11-17T14:05:34,699][INFO ][o.e.b.BootstrapChecks ] [new-elastic-act1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-11-17T14:05:34,706][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists …
[2017-11-17T14:05:34,719][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [new-elastic-act1] no known master node, scheduling a retry
[2017-11-17T14:05:37,792][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] new_master {new-elastic-act1}{dn6kgzWqTOixX2fwlrgFSQ}{wOGWBKQHTd-ypiqQR1Tu4A}{s2s005ge.hu.srv.acc.sys}{10.238.131.23:9301}, reason: zen-disco-elected-
as-master ([0] nodes joined)
[2017-11-17T14:05:37,832][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] Bound http to address {10.238.131.23:9201}
[2017-11-17T14:05:37,832][INFO ][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] publish_address {10.238.131.23:9201}, bound_addresses {10.238.131.23:9201}
[2017-11-17T14:05:37,833][INFO ][o.e.n.Node ] [new-elastic-act1] started
[2017-11-17T14:05:38,207][INFO ][c.f.s.c.IndexBaseConfigurationRepository] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster
[2017-11-17T14:05:38,207][INFO ][o.e.g.GatewayService ] [new-elastic-act1] recovered [3] indices into cluster_state
[2017-11-17T14:06:22,308][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] connected to node [{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]
[2017-11-17T14:06:22,376][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] added {{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301},}, reason: zen-disco-node-join[
{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]

[2017-11-17T14:06:22,607][WARN ][o.e.d.z.ElectMasterService] [new-elastic-act1] value for setting “discovery.zen.minimum_master_nodes” is too low. This can result in data loss! Please set it to at least a quorum of master-eligibl
e nodes (current value: [1], total number of master-eligible nodes used for publishing in this round: [2])
[2017-11-17T14:07:16,456][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:16,457][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

[2017-11-17T14:07:21,217][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:21,217][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

Hey Everyone,

First of all–great work figuring this out, Jozsef!

I am facing the same thing. I copied the DN from the “Transport authentication finally failed for…” and put it in my elasticsearch.yml as Joszef did. However, still getting the same error message.

Note: I am using a pem/crt/cacert combo and here’s my command:

.sgadmin.sh -cert /deploy/elasticsearch/config/es.crt -cacert /deploy/elasticsearch/config/es.cacrt -key /deploy/elasticsearch/config/es.pem -nhnv -icl -arc

Any ideas?

–John

···

On Monday, November 20, 2017 at 8:52:27 AM UTC-5, Jozsef Basa wrote:

Hi, finally I found the solution

In elasticsearch.yml I changed searchguard.authcz.admin_dn from

OU=ICT,O=Sh Shop Zrt,C=HU,ST=Budapest,CN=u50565

to this:

CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU

Thanks!!

On Friday, November 17, 2017 at 2:19:10 PM UTC+1, Jozsef Basa wrote:

Hi,

  • Search Guard and Elasticsearch version 5.6.2
  • Installed and used enterprise modules, if any
  • JVM version and operating system version 1.8
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins: none

On two nodes cluster, I am trying SearchGuard by running sgadmin.

./plugins/search-guard-5/tools/sgadmin.sh -cd …/sgconfig/sg_config.yml -nhnv -accept-red-cluster -cacert /root/ca/certs/ca.crt.pem -cert /root/u50565.pem -key /root/u50565.pk8 -port 9301 -host s2s005ge.hu.srv.acc.sys -cn new-act-elastic -diagnose

I got the following:

[2017-11-17T14:05:33,407][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2017-11-17T14:05:33,469][INFO ][c.f.s.SearchGuardPlugin ] FLS/DLS valve not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.DlsFlsValveImpl
[2017-11-17T14:05:33,470][INFO ][c.f.s.SearchGuardPlugin ] Auditlog not available due to java.lang.ClassNotFoundException: com.floragunn.searchguard.auditlog.impl.AuditLogImpl
[2017-11-17T14:05:33,471][DEBUG][c.f.s.SearchGuardPlugin ] Using com.floragunn.searchguard.transport.DefaultInterClusterRequestEvaluator as intercluster request evaluator class
[2017-11-17T14:05:33,472][INFO ][c.f.s.SearchGuardPlugin ] Privileges interceptor not bound (noop) due to java.lang.ClassNotFoundException: com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl
[2017-11-17T14:05:33,483][DEBUG][c.f.s.c.AdminDNs ] C=HU,ST=Budapest,O=Sh Shop Zrt,OU=ICT,CN=u50565 is registered as an admin dn
[2017-11-17T14:05:33,485][DEBUG][c.f.s.c.AdminDNs ] Loaded 1 admin DN’s [C=HU,ST=Budapest,O=ShShop Zrt,OU=ICT,CN=u50565]
[2017-11-17T14:05:33,486][DEBUG][c.f.s.c.AdminDNs ] Loaded 0 impersonation DN’s {}
[2017-11-17T14:05:33,505][DEBUG][c.f.s.c.ConfigurationLoader] Index is: searchguard
[2017-11-17T14:05:33,508][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.http.XFFResolver@23ad71bf
[2017-11-17T14:05:33,559][DEBUG][c.f.s.c.IndexBaseConfigurationRepository] Subscribe on configuration changes by type config with listener com.floragunn.searchguard.auth.BackendRegistry@6518fdfd
[2017-11-17T14:05:33,631][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] using max_chunk_size[8kb], max_header_size[8kb], max_initial_line_length[4kb], max_content_length[100mb], receive_predictor[64kb->6
4kb], pipelining[true], pipelining_max_events[10000]
[2017-11-17T14:05:33,634][INFO ][o.e.d.DiscoveryModule ] [new-elastic-act1] using discovery type [zen]
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] initialized
[2017-11-17T14:05:34,517][INFO ][o.e.n.Node ] [new-elastic-act1] starting …
[2017-11-17T14:05:34,593][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] using profile[default], worker_count[4], port[9301], bind_host[null], publish_host[null], compress[false], connect_timeout[30s], connecti
ons_per_node[2/3/6/1/1], receive_predictor[64kb->64kb]
[2017-11-17T14:05:34,601][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] binding server bootstrap to: [10.238.131.23]
[2017-11-17T14:05:34,681][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] Bound profile [default] to address {10.238.131.23:9301}
[2017-11-17T14:05:34,683][INFO ][o.e.t.TransportService ] [new-elastic-act1] publish_address {10.238.131.23:9301}, bound_addresses {10.238.131.23:9301}
[2017-11-17T14:05:34,699][INFO ][o.e.b.BootstrapChecks ] [new-elastic-act1] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-11-17T14:05:34,706][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists …
[2017-11-17T14:05:34,719][DEBUG][o.e.a.a.i.e.i.TransportIndicesExistsAction] [new-elastic-act1] no known master node, scheduling a retry
[2017-11-17T14:05:37,792][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] new_master {new-elastic-act1}{dn6kgzWqTOixX2fwlrgFSQ}{wOGWBKQHTd-ypiqQR1Tu4A}{s2s005ge.hu.srv.acc.sys}{10.238.131.23:9301}, reason: zen-disco-elected-
as-master ([0] nodes joined)
[2017-11-17T14:05:37,832][DEBUG][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] Bound http to address {10.238.131.23:9201}
[2017-11-17T14:05:37,832][INFO ][c.f.s.h.SearchGuardNonSslHttpServerTransport] [new-elastic-act1] publish_address {10.238.131.23:9201}, bound_addresses {10.238.131.23:9201}
[2017-11-17T14:05:37,833][INFO ][o.e.n.Node ] [new-elastic-act1] started
[2017-11-17T14:05:38,207][INFO ][c.f.s.c.IndexBaseConfigurationRepository] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster
[2017-11-17T14:05:38,207][INFO ][o.e.g.GatewayService ] [new-elastic-act1] recovered [3] indices into cluster_state
[2017-11-17T14:06:22,308][DEBUG][c.f.s.s.t.SearchGuardSSLNettyTransport] [new-elastic-act1] connected to node [{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]
[2017-11-17T14:06:22,376][INFO ][o.e.c.s.ClusterService ] [new-elastic-act1] added {{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301},}, reason: zen-disco-node-join[
{new-elastic-act2}{1f6VAuzjTX61qbwmCbIy-A}{_En_ujzRSLGpoLAzJ2tHag}{s2s005hx.hu.srv.acc.sys}{10.238.131.24:9301}]

[2017-11-17T14:06:22,607][WARN ][o.e.d.z.ElectMasterService] [new-elastic-act1] value for setting “discovery.zen.minimum_master_nodes” is too low. This can result in data loss! Please set it to at least a quorum of master-eligibl
e nodes (current value: [1], total number of master-eligible nodes used for publishing in this round: [2])
[2017-11-17T14:07:16,456][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:16,457][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

[2017-11-17T14:07:21,217][WARN ][c.f.s.a.BackendRegistry ] Transport authentication finally failed for CN=u50565,OU=ICT,O=Sh Shop Zrt,ST=Budapest,C=HU
[2017-11-17T14:07:21,217][ERROR][c.f.s.t.SearchGuardRequestHandler] Cannot authenticate null

Hi John,
Sorry I dont have any idea. They have extensive but inaccurate docs unfortunately.

Hi Jozsef,

Gotcha, no worries, I do thank you for this thread as I think it’s putting me on the right path to figure this out. I will post my solution once I arrive at it.

Thanks again!

–John

···

On Friday, December 15, 2017 at 1:10:56 AM UTC-5, Jozsef Basa wrote:

Hi John,
Sorry I dont have any idea. They have extensive but inaccurate docs unfortunately.