Installing PEM/PKCS#8 in ES/SearchGuard config, error certificate unkown!

I generated my certs/keys/ca using own PKI
and just now also tested and decoded my cert (pem chained certificate) and looks good …got all checkmarks from https://www.sslshopper.com/certificate-decoder.html

Here is the related ES/SG config section:

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.transport.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.transport.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.transport.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.transport.pemtrustedcas_filepath: xxxxx-ca-www-chain.cert.pem

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.http.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.http.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.http.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.http.pemtrustedcas_filepath: xxxxxx-ca-www-chain.cert.pem
searchguard.ssl.http.enabled: true

But I am getting certificate unknown…
What am I missing here? Is config incorrect!?

xxxxxxxxxxxxxxx.com’ initialized
[2017-11-15T01:18:22,766][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxxxx] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
[2017-11-15T01:18:27,799][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxx.com] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(

Hi,

I’m trying to setup SG with pem certificate too, and I runned that kind of error aswell; make sure your node certificates have the ClientAuth and ServerAuth ExtendedKeyUsage attributes. You can check this with openssl x509 -noout -text -in /path/to/node.cert.

Hopes this help.

···

On Wednesday, November 15, 2017 at 2:28:15 AM UTC+1, Ben Fallah wrote:

I generated my certs/keys/ca using own PKI
and just now also tested and decoded my cert (pem chained certificate) and looks good …got all checkmarks from https://www.sslshopper.com/certificate-decoder.html

Here is the related ES/SG config section:

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.transport.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.transport.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.transport.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.transport.pemtrustedcas_filepath: xxxxx-ca-www-chain.cert.pem

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.http.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.http.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.http.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.http.pemtrustedcas_filepath: xxxxxx-ca-www-chain.cert.pem
searchguard.ssl.http.enabled: true

But I am getting certificate unknown…
What am I missing here? Is config incorrect!?

xxxxxxxxxxxxxxx.com’ initialized
[2017-11-15T01:18:22,766][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxxxx] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
[2017-11-15T01:18:27,799][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxx.com] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(

Thanks for information and reply!

I abandoned pem and created a procedure for creating java keystore and trusstore, a bit more details I am stablizing it …I should be able to get my head around all aliases and passsword and attributes and etc… Getting there slowly. As soon as I have something working , I’ll share the procedure which is really lacking in SG documentation… maybe too much German beer! lol! and not enough care to even more details and scenairos…demo script already has build in keys and certs…and is not clear how keystore and trustore are being created and certs/keys imported into them… more care for product usage by various poeple, it’ll be a lot better for community and future of the SG!

side note:
Today is mourning day for Native Americans… before you take first byte of that turkey, make sure you think about all the wrong doings upon them…so their spirit will relax before you stuff that face!

···

On Thursday, November 23, 2017 at 6:15:23 AM UTC-8, calv...@gmail.com wrote:

Hi,

I’m trying to setup SG with pem certificate too, and I runned that kind of error aswell; make sure your node certificates have the ClientAuth and ServerAuth ExtendedKeyUsage attributes. You can check this with openssl x509 -noout -text -in /path/to/node.cert.

Hopes this help.

On Wednesday, November 15, 2017 at 2:28:15 AM UTC+1, Ben Fallah wrote:

I generated my certs/keys/ca using own PKI
and just now also tested and decoded my cert (pem chained certificate) and looks good …got all checkmarks from https://www.sslshopper.com/certificate-decoder.html

Here is the related ES/SG config section:

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.transport.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.transport.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.transport.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.transport.pemtrustedcas_filepath: xxxxx-ca-www-chain.cert.pem

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.http.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.http.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.http.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.http.pemtrustedcas_filepath: xxxxxx-ca-www-chain.cert.pem
searchguard.ssl.http.enabled: true

But I am getting certificate unknown…
What am I missing here? Is config incorrect!?

xxxxxxxxxxxxxxx.com’ initialized
[2017-11-15T01:18:22,766][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxxxx] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
[2017-11-15T01:18:27,799][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxx.com] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(

Thanks for information and reply!

I abandoned pem and created a procedure for creating java keystore and trusstore, a bit more details I am stablizing it …I should be able to get my head around all aliases and passsword and attributes and etc… Getting there slowly. As soon as I have something working , I’ll share the procedure which is really lacking in SG documentation… maybe too much German beer! lol! and not enough care to even more details and scenairos…demo script already has build in keys and certs…and is not clear how keystore and trustore are being created and certs/keys imported into them… more care for product usage by various poeple, it’ll be a lot better for community and future of the SG!

side note:
Today is mourning day for Native Americans… before you take first byte of that turkey, make sure you think about all the wrong doings upon them…so their spirit will relax before you stuff that face!

Hi,

I’m trying to setup SG with pem certificate too, and I runned that kind of error aswell; make sure your node certificates have the ClientAuth and ServerAuth ExtendedKeyUsage attributes. You can check this with openssl x509 -noout -text -in /path/to/node.cert.

Hopes this help.

I generated my certs/keys/ca using own PKI
and just now also tested and decoded my cert (pem chained certificate) and looks good …got all checkmarks from https://www.sslshopper.com/certificate-decoder.html

Here is the related ES/SG config section:

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.transport.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.transport.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.transport.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.transport.pemtrustedcas_filepath: xxxxx-ca-www-chain.cert.pem

As an alternative to JKS/PCKS12 based configuration

you can also use X.509 PEM certificates and PKCS #8 keys.

This, for example, makes it pretty easy to configure letsencrypt certificates.

Relative path to the certificates key file (PKCS #8), must be placed under the config/ dir

searchguard.ssl.http.pemkey_filepath: elk-backend-private.key

Key password (omit this setting if the key has no password)

#searchguard.ssl.http.pemkey_password: “secret”

X509 node certificate chain in PEM format, must be placed under the config/ dir

searchguard.ssl.http.pemcert_filepath: SAN_elk-backend-chained.pem

Trusted certificates

searchguard.ssl.http.pemtrustedcas_filepath: xxxxxx-ca-www-chain.cert.pem
searchguard.ssl.http.enabled: true

But I am getting certificate unknown…
What am I missing here? Is config incorrect!?

xxxxxxxxxxxxxxx.com’ initialized
[2017-11-15T01:18:22,766][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxxxx] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
[2017-11-15T01:18:27,799][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elk-backend.util.xxxxxxxxxxxxx.com] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(

Ok…I do see some resources in search-guard-ssl/example-pki-scripts
I can use those for pem, getting into it to plug my PKI stuff into it!
and then we also have the demo script for jks stuff!

···

On Thursday, November 23, 2017 at 6:15:23 AM UTC-8, calv...@gmail.com wrote:

On Wednesday, November 15, 2017 at 2:28:15 AM UTC+1, Ben Fallah wrote:

On Thursday, November 23, 2017 at 1:39:55 PM UTC-8, Ben Fallah wrote: