How to debug "Received fatal alert: bad_certificate" error?

  • Search Guard and Elasticsearch version: 6.0.0

  • Installed and used enterprise modules, if any: no

  • JVM version and operating system version: 1.8.0_131

  • Search Guard configuration files:

sg_config.yml:

searchguard:
dynamic:
authc:
basic_internal_auth:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal

``

elasticsearch.yml:

searchguard:
enterprise_modules_enabled: false
allow_unsafe_democertificates: true
ssl.transport:
enabled: true
enable_openssl_if_available: true
keystore_type: JKS
keystore_filepath: /elasticsearch/config/searchguard/ssl/{NODE_NAME}-keystore.jks keystore_password: {KS_PWD}
truststore_type: JKS
truststore_filepath: /elasticsearch/config/searchguard/ssl/truststore.jks
truststore_password: {TS_PWD} enforce_hostname_verification: false ssl.http: enabled: {HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
keystore_type: JKS
keystore_filepath: /elasticsearch/config/searchguard/ssl/{NODE_NAME}-keystore.jks keystore_password: {KS_PWD}
truststore_type: JKS
truststore_filepath: /elasticsearch/config/searchguard/ssl/truststore.jks
truststore_password: ${TS_PWD}
nodes_dn:
- “CN=search.domain.com, OU=SSL, C=COM”
authcz.admin_dn:
- “CN=elastic ,OU=devops, C=COM”

``

  • Elasticsearch log messages on debug level:

[2018-02-27T08:01:53,569][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] sent to [{search.domain.com}{

8DEc8UX5Q6GAAWelIMA3uA}{3Ln-XCczR_SXuj-dGPeeIg}{172.18.0.4}{172.18.0.4:9300}] (timeout: [null])

[2018-02-27T08:01:53,570][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] received request

[2018-02-27T08:01:53,603][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [search.domain.com] publish_address {172.18.0.4:9200}, bound_addresses {[::]:9200}

[2018-02-27T08:01:53,604][INFO ][o.e.n.Node ] [search.domain.com] started

[2018-02-27T08:01:53,631][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] sent response

[2018-02-27T08:01:53,632][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] received response from [{search.

domain.com}{8DEc8UX5Q6GAAWelIMA3uA}{3Ln-XCczR_SXuj-dGPeeIg}{172.18.0.4}{172.18.0.4:9300}]

[2018-02-27T08:01:53,842][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [search.domain.com] SSL Problem Received fatal alert: bad_certificate

javax.net.ssl.SSLException: Received fatal alert: bad_certificate

  • Other installed Elasticsearch or Kibana plugins, if any: no

According to this: https://www.elastic.co/guide/en/elasticsearch/reference/current/logging.html

I tried adding logger.org.elasticsearch.transport: trace into elasticsearch.yml but it didn’t help.

Since I’m using https://github.com/khezen/docker-elasticsearch, setting LOG_LEVEL to DEBUG to start ES with -Des.logger.level=DEBUG, then it printed the above logs.

But it’s not clear that why do I got that “bad_certificate” error.

How can I debug this?

This helped: https://github.com/floragunncom/search-guard/issues/314#issuecomment-290144489

logger.fg.name = com.floragunn
logger.fg.level = trace

``

···

On Tuesday, February 27, 2018 at 3:22:00 PM UTC+7, Quan Tong Anh wrote:

  • Search Guard and Elasticsearch version: 6.0.0
  • Installed and used enterprise modules, if any: no
  • JVM version and operating system version: 1.8.0_131
  • Search Guard configuration files:

sg_config.yml:

searchguard:
dynamic:
authc:
basic_internal_auth:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal

``

elasticsearch.yml:

searchguard:
enterprise_modules_enabled: false
allow_unsafe_democertificates: true
ssl.transport:
enabled: true
enable_openssl_if_available: true
keystore_type: JKS
keystore_filepath: /elasticsearch/config/searchguard/ssl/{NODE_NAME}-keystore.jks keystore_password: {KS_PWD}
truststore_type: JKS
truststore_filepath: /elasticsearch/config/searchguard/ssl/truststore.jks
truststore_password: {TS_PWD} enforce_hostname_verification: false ssl.http: enabled: {HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
keystore_type: JKS
keystore_filepath: /elasticsearch/config/searchguard/ssl/{NODE_NAME}-keystore.jks keystore_password: {KS_PWD}
truststore_type: JKS
truststore_filepath: /elasticsearch/config/searchguard/ssl/truststore.jks
truststore_password: ${TS_PWD}
nodes_dn:
- “CN=search.domain.com, OU=SSL, C=COM”
authcz.admin_dn:
- “CN=elastic ,OU=devops, C=COM”

``

  • Elasticsearch log messages on debug level:

[2018-02-27T08:01:53,569][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] sent to [{search.domain.com}{

8DEc8UX5Q6GAAWelIMA3uA}{3Ln-XCczR_SXuj-dGPeeIg}{172.18.0.4}{172.18.0.4:9300}] (timeout: [null])

[2018-02-27T08:01:53,570][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] received request

[2018-02-27T08:01:53,603][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [search.domain.com] publish_address {172.18.0.4:9200}, bound_addresses {[::]:9200}

[2018-02-27T08:01:53,604][INFO ][o.e.n.Node ] [search.domain.com] started

[2018-02-27T08:01:53,631][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] sent response

[2018-02-27T08:01:53,632][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] received response from [{search.

domain.com}{8DEc8UX5Q6GAAWelIMA3uA}{3Ln-XCczR_SXuj-dGPeeIg}{172.18.0.4}{172.18.0.4:9300}]

[2018-02-27T08:01:53,842][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [search.domain.com] SSL Problem Received fatal alert: bad_certificate

javax.net.ssl.SSLException: Received fatal alert: bad_certificate

  • Other installed Elasticsearch or Kibana plugins, if any: no

According to this: https://www.elastic.co/guide/en/elasticsearch/reference/current/logging.html

I tried adding logger.org.elasticsearch.transport: trace into elasticsearch.yml but it didn’t help.

Since I’m using https://github.com/khezen/docker-elasticsearch, setting LOG_LEVEL to DEBUG to start ES with -Des.logger.level=DEBUG, then it printed the above logs.

But it’s not clear that why do I got that “bad_certificate” error.

How can I debug this?

You can also have a look at the Troubleshooting TLS section in the docs:

http://docs.search-guard.com/latest/troubleshooting-tls

···

On Tuesday, February 27, 2018 at 10:43:31 AM UTC+1, Quan Tong Anh wrote:

This helped: https://github.com/floragunncom/search-guard/issues/314#issuecomment-290144489

logger.fg.name = com.floragunn
logger.fg.level = trace

``

On Tuesday, February 27, 2018 at 3:22:00 PM UTC+7, Quan Tong Anh wrote:

  • Search Guard and Elasticsearch version: 6.0.0
  • Installed and used enterprise modules, if any: no
  • JVM version and operating system version: 1.8.0_131
  • Search Guard configuration files:

sg_config.yml:

searchguard:
dynamic:
authc:
basic_internal_auth:
enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal

``

elasticsearch.yml:

searchguard:
enterprise_modules_enabled: false
allow_unsafe_democertificates: true
ssl.transport:
enabled: true
enable_openssl_if_available: true
keystore_type: JKS
keystore_filepath: /elasticsearch/config/searchguard/ssl/{NODE_NAME}-keystore.jks keystore_password: {KS_PWD}
truststore_type: JKS
truststore_filepath: /elasticsearch/config/searchguard/ssl/truststore.jks
truststore_password: {TS_PWD} enforce_hostname_verification: false ssl.http: enabled: {HTTP_SSL}
# clientauth_mode: REQUIRE
clientauth_mode: OPTIONAL
enable_openssl_if_available: true
keystore_type: JKS
keystore_filepath: /elasticsearch/config/searchguard/ssl/{NODE_NAME}-keystore.jks keystore_password: {KS_PWD}
truststore_type: JKS
truststore_filepath: /elasticsearch/config/searchguard/ssl/truststore.jks
truststore_password: ${TS_PWD}
nodes_dn:
- “CN=search.domain.com, OU=SSL, C=COM”
authcz.admin_dn:
- “CN=elastic ,OU=devops, C=COM”

``

  • Elasticsearch log messages on debug level:

[2018-02-27T08:01:53,569][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] sent to [{search.domain.com}{

8DEc8UX5Q6GAAWelIMA3uA}{3Ln-XCczR_SXuj-dGPeeIg}{172.18.0.4}{172.18.0.4:9300}] (timeout: [null])

[2018-02-27T08:01:53,570][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] received request

[2018-02-27T08:01:53,603][INFO ][c.f.s.h.SearchGuardHttpServerTransport] [search.domain.com] publish_address {172.18.0.4:9200}, bound_addresses {[::]:9200}

[2018-02-27T08:01:53,604][INFO ][o.e.n.Node ] [search.domain.com] started

[2018-02-27T08:01:53,631][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] sent response

[2018-02-27T08:01:53,632][TRACE][o.e.t.T.tracer ] [search.domain.com] [14][internal:gateway/local/meta_state[n]] received response from [{search.

domain.com}{8DEc8UX5Q6GAAWelIMA3uA}{3Ln-XCczR_SXuj-dGPeeIg}{172.18.0.4}{172.18.0.4:9300}]

[2018-02-27T08:01:53,842][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [search.domain.com] SSL Problem Received fatal alert: bad_certificate

javax.net.ssl.SSLException: Received fatal alert: bad_certificate

  • Other installed Elasticsearch or Kibana plugins, if any: no

According to this: https://www.elastic.co/guide/en/elasticsearch/reference/current/logging.html

I tried adding logger.org.elasticsearch.transport: trace into elasticsearch.yml but it didn’t help.

Since I’m using https://github.com/khezen/docker-elasticsearch, setting LOG_LEVEL to DEBUG to start ES with -Des.logger.level=DEBUG, then it printed the above logs.

But it’s not clear that why do I got that “bad_certificate” error.

How can I debug this?