Error with enable_openssl_if_available when using sgadmin.sh

Elasticsearch version: 7.17.9

Server OS version: Docker with official Elasticsearch Image

Kibana version (if relevant): 7.17.9

Describe the issue:
Hello, i’m trying to install Search Guard on an ElasticSearch/Kibana stack in docker containers.
Many interesting features could help us such as authentication or multitenancy.

Until now, everything was ok : I have the Search Guard login page when i go on my Kibana, and i can create users/roles/rights, even hide data on desired users : perfect.

Now, I want to use yml files to load pre-configured users, tenant and roles instead of manually doing it.
After start, when my container it’s ready, i try this command :

./plugins/search-guard-flx/tools/sgadmin.sh -cd ./config/sg/ -nhnv -icl -noopenssl -cacert ./config/root-ca.pem -cert ./config/admin.pem -key ./config/admin.key -p 9300

(Just added -noopenssl to be sure that is not the problem, but i have the same result without)

The result of this command, is the following log :

> Search Guard Admin v7
Will connect to localhost:9300 ... done
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
SLF4J: Class path contains SLF4J bindings targeting slf4j-api versions 1.7.x or earlier.
SLF4J: Ignoring binding found at [jar:file:/usr/share/elasticsearch/plugins/search-guard-flx/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Ignoring binding found at [jar:file:/usr/share/elasticsearch/plugins/search-guard-flx/deps/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See https://www.slf4j.org/codes.html#ignoredBindings for an explanation.
ERR: An unexpected IllegalArgumentException occured: unknown setting [searchguard.ssl.transport.enable_openssl_if_available] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
Trace:
java.lang.IllegalArgumentException: unknown setting [searchguard.ssl.transport.enable_openssl_if_available] please check that any required plugins are installed, or check the breaking changes documentation for removed settings
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:561)
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:507)
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:477)
        at org.elasticsearch.common.settings.AbstractScopedSettings.validate(AbstractScopedSettings.java:447)
        at org.elasticsearch.common.settings.SettingsModule.<init>(SettingsModule.java:137)
        at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:166)
        at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:347)
        at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:1088)
        at com.floragunn.searchguard.tools.SearchGuardAdmin.execute(SearchGuardAdmin.java:612)
        at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:157)

I think the relevant line is “unknown setting [searchguard.ssl.transport.enable_openssl_if_available]”, so i tried to add searchguard.ssl.transport.enable_openssl_if_available: true or false in my elasticsearch.yml and I have the same log but when my ElasticSearch is starting.

I tried many solutions found on your forums, gits repo’s issues, re-read the docs but after days on it I can’t figure out what is happening or what am I doing wrong ?

Expected behavior:
sgadmin.sh run smoothly and i can update my users/roles/tenants from configs files (sg_internal_users.yml, sg_tenants.yml, sg_roles.yml, …)

Provide configuration:
elasticsearch/config/elasticsearch.yml

discovery.type: single-node
xpack.security.enabled: false
cluster.name: docker-cluster
network.host: 0.0.0.0
searchguard.ssl.transport.pemcert_filepath: my-elasticsearch.pem
searchguard.ssl.transport.pemkey_filepath: my-elasticsearch.key
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true

elasticsearch/plugins/search-guard-flx/sgconfig/sg_config.yml

searchguard:
  dynamic:
    http:
      xff:
        enabled: false
    authc:
      basic_internal_auth_domain:
        http_enable: true
        transport_enabled: true
        http_authenticator:
          type: basic
        authentication_backend:
          type: intern
multitenancy_enabled: true

I think i’m pretty exaustive, don’t hesitate if you need any specific precision

@Thomas Could you tell me what is your current SG version?

@Thomas Could you try the below commands and send the outputs?

curl --insecure --cert ./config/admin.pem --key ./config/admin.key --cacert ./config/root-ca.pem -XGET https://localhost:9200

curl --insecure --cert ./config/admin.pem --key ./config/admin.key --cacert ./config/root-ca.pem -XGET https://localhost:9200/_searchguard/authinfo?pretty

Hello Pablo, thanks for you reply.
I forgot about my Search Guard version, it is 1.1.1, i’ve found it was the correct version for my elasticsearch on the Latest releases page : Latest Releases | Security for Elasticsearch | Search Guard

When trying those commands both return this line :

curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

@Thomas Your curl might be an old version. Also, version 1.1.1 is FLX.
sgadmin.sh was designed for the legacy versions.

With the FLX plugin, you must use the sgctl tool. Please be aware, that in SG FLX plugin the transport client authentication is no longer supported, that’s why sgctl.sh tool is using port 9200.

image1337×213 8.58 KB

Hello @pablo , thanks again for your reply.
You were right, i must use sgctl instead of sgadmin, but i have similar problems now.
Still the same message with curl but a new one when I try this command :

./sgctl.sh connect localhost --ca-cert config/root-ca.pem --cert config/admin.pem --key config/admin.key --verbose

I have this result :

Connecting to localhost:9200 with certificate CN=mycn, OU=client, O=client, L=tEst, C=De
javax.net.ssl.SSLException: Unsupported or unrecognized SSL message

Host and port are ok to me, same with certificate (i’ve chosen this while i’m on localhost env)
I’m still searching why on your forum and on the web but no result for now.

@Thomas As I mentioned in my last update, the transport client authentication was deprecated in SG FLX. As a result, sgctl tool uses port 9200 instead of 9300 to communicate with the SG FLX plugin.

The shared elasticsearch.yml file has TLS configured only for the transport layer. You need to configure the same for the REST layer (9200).

Please find an example of the minimal Search Guard configuration in elasticsearch.yml here.

I’ve taken time to re-read everything and check each point and managed to fix my issue.
Here are the steps i’ve followed if anyone have the same problem later :

1 - Created new certificates with OpenSSL using this link

2 - Copy the certs in my docker containers and use them with sgctl.sh, finally it worked

3 - At this step, I was able to make a sgctl.sh connect but my Kibana couldn’t connect to Elastic because it hadn’t the required certificates, so I followed instructions on this page :

And finally, it was ok.
I made few tests like customising Kibana’s login page and it’s great.
Thanks again for you time @pablo.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.