ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem

Search Guard
1

Hi:
When I execute the command of “/opt/elasticsearch-5.5.1/plugins/search-guard-5/tools/sgadmin.sh -cd /opt/elasticsearch-5.5.1/plugins/search-guard-5/sgconfig -cn test-es -ks /opt/elasticsearch-5.5.1/config/kirk.jks -ts /opt/elasticsearch-5.5.1/config/truststore.jks -nhnv”
the following error is reported:

Contacting elasticsearch cluster ‘test-es’ and wait for YELLOW clusterstate …
Cannot retrieve cluster state due to: None of the configured nodes are available: [{#transport#-1}{fuNu-HfFSbWb2azG9fXF8Q}{localhost}{10.104.24.95:9300}]. This is not an error, will keep on trying …

  • Try running sgadmin.sh with -icl (but no -cl) and -nhnv (If thats works you need to check your clustername as well as hostnames in your SSL certificates)
  • Make also sure that your keystore or cert is a client certificate (not a node certificate) and configured properly in elasticsearch.yml
  • If this is not working, try running sgadmin.sh with --diagnose and see diagnose trace log file)
  • Add --accept-red-cluster to allow sgadmin to operate on a red cluster.
    18:56:43.936 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:1.8.0_144]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_144]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_144]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_144]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_144]
    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:579) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:496) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_144]
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_144]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_144]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_144]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_144]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_144]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_144]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_144]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:1.8.0_144]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:1.8.0_144]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:1.8.0_144]
    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1295) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1208) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
    … 18 more
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

The version of Search guard is 5.5.1

Look forward to your reply

2

Hi @fly

Can you provide your elasticsearch.yaml file?

Is the keystore files located in config directory?

3

Hi @sirHusky
1.the content of elasticsearch.yaml file is:
cluster.name: test-es
node.name: test-es-master1
path.data: /es_data
path.logs: /es_data/logs
network.host: 10.104.24.95
node.master: true
discovery.zen.minimum_master_nodes: 1
discovery.zen.ping.unicast.hosts: [“10.104.24.95”]
script.inline: true
script.stored: true
script.engine.groovy.inline.aggs: true

x-pack

xpack.security.enabled: false
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.watcher.enabled: false
xpack.ml.enabled: false

######## Start Search Guard Demo Configuration ########
searchguard.ssl.transport.pemcert_filepath: ./pem-key/node1.pem
searchguard.ssl.transport.pemkey_filepath: ./pem-key/node1.key
searchguard.ssl.transport.pemkey_password: HOBqMd6nnUb7
searchguard.ssl.transport.pemtrustedcas_filepath: ./pem-key/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.pemcert_filepath: ./pem-key/node1_http.pem
searchguard.ssl.http.pemkey_filepath: ./pem-key/node1_http.key
searchguard.ssl.http.pemkey_password: PHz1330ZquzK
searchguard.ssl.http.pemtrustedcas_filepath: ./pem-key/root-ca.pem
searchguard.nodes_dn:

2.The location of elasticsearch.yaml is “/opt/elasticsearch-5.5.1/config” and the location of keystore files is “/opt/elasticsearch-5.5.1/config/pem-key”.

Look forward to your reply

4

@fly you are not using truststore. You are using pem certificates.

Therefore in order to run the sgadmin.sh tool you will need to mention the certificates, like so:

“/opt/elasticsearch-5.5.1/plugins/search-guard-5/tools/sgadmin.sh -cd /opt/elasticsearch-5.5.1/plugins/search-guard-5/sgconfig -cn test-es -key /opt/elasticsearch-5.5.1/config/pem-key/kirk.key -cert /opt/elasticsearch-5.5.1/config/pem-key/kirk.pem -cacert /opt/elasticsearch-5.5.1/config/pem-key/root-ca.pem -nhnv”

(Assuming your admin certificate is named kirk.pem and kirk.key)

5

Hi @sirHusky
Yes, you are right. The problem has been solved.
Thank you!

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.