Error while sgadmin initialization using TLS offline tool certificate

Search Guard
1

ES version : 6.2.4

SG version : 6.2.4:23

Java : 8

I getting following error while initializing sgadmin. I have generated certificate using SG TLS offline tool.

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{zMZRyc4GTImLzL9Tyc92KQ}{localhost}{127.0.0.1:930

0}]

16:59:14.013 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Pr

oblem General SSLEngine problem

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_161]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.

1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.

1.16.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.

Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Fi

nal]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_161]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.

at sun.security.util.HostnameChecker.matchDNS(Unknown Source) ~[?:1.8.0_161]

at sun.security.util.HostnameChecker.match(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{zMZRyc4GTImLzL9Tyc92KQ}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:371)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:394)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:450)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

···

Configurations:

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: node1.pem

searchguard.ssl.transport.pemkey_filepath: node1.key

searchguard.ssl.transport.pemkey_password: *****

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: node1_http.pem

searchguard.ssl.http.pemkey_filepath: node1_http.key

searchguard.ssl.http.pemkey_password: ******

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

2

What is your exact sgadmin call? Did you disable hostname verification via the -nhnv flag?

···

On Thursday, September 20, 2018 at 2:21:25 PM UTC+2, chinmaya mishra wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version
  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

ES version : 6.2.4

SG version : 6.2.4:23

Java : 8

I getting following error while initializing sgadmin. I have generated certificate using SG TLS offline tool.

Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{zMZRyc4GTImLzL9Tyc92KQ}{localhost}{127.0.0.1:930

0}]

16:59:14.013 [elasticsearch[client][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Pr

oblem General SSLEngine problem

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:1.8.0_161]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.

1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.

1.16.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.

Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:

4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Fi

nal]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_161]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.fatalSE(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.

at sun.security.util.HostnameChecker.matchDNS(Unknown Source) ~[?:1.8.0_161]

at sun.security.util.HostnameChecker.match(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:1.8.0_161]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_161]

at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:1.8.0_161]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information

Trace:

NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{zMZRyc4GTImLzL9Tyc92KQ}{localhost}{127.0.0.1:9300}]]

at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)

at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)

at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)

at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:371)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)

at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:394)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:450)

at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

Configurations:

elasticsearch.yml

searchguard.ssl.transport.pemcert_filepath: node1.pem

searchguard.ssl.transport.pemkey_filepath: node1.key

searchguard.ssl.transport.pemkey_password: *****

searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: node1_http.pem

searchguard.ssl.http.pemkey_filepath: node1_http.key

searchguard.ssl.http.pemkey_password: ******

searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem

searchguard.nodes_dn:

searchguard.authcz.admin_dn:

3

sgadmin call is :

sgadmin.bat -key …\sgconfig\smu.key -keypass ***** -cert …\sgconfig\smu.pem -cacert …\sgconfig\root-ca.pem

No i have not disable hostname verification via the -nhnv flag. I disabled on elasticsearch.yml config, as mention my previous comment.

4

I mean disabling hostname verification on the sgadmin call call via the -nhnv flag. You need to do disable it because it seems you do not have any valid DNS names on your certificates:

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.

``

You should also set the cluster name via the -cn flag, or tell sgadmin to ignore the clustername via the -icl flag.

···

On Friday, September 21, 2018 at 5:08:23 AM UTC+2, chinmaya mishra wrote:

sgadmin call is :

sgadmin.bat -key …\sgconfig\smu.key -keypass ***** -cert …\sgconfig\smu.pem -cacert …\sgconfig\root-ca.pem

No i have not disable hostname verification via the -nhnv flag. I disabled on elasticsearch.yml config, as mention my previous comment.