Invalid certificates after offline sgtool generation

Hi,

I am using elasticsearch 6.5.3 with searchguard 6-6.5.3-23.2. (jre1.8.0_181, CentOS Linux 7).

I used sgtool to generate node and CA certificate, but elastic won’t start due to:

SSL Problem General OpenSslEngine problem javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

``

In older 6.3.2 version were this steps and configurations ok. Also I put “netty-tcnative-openssl-1.1.0j-static-2.0.15.Final-fedora-linux-x86_64-plugins-search-guard-6” to plugins/search-guard-6/

certs_def.yml for sgtool:

ca:
root:
dn: CN=root.ca
keysize: 4096
pkPassword: auto
validityDays: 3650
file: root-ca
nodes:

  • name: elasticsearchNode
    dn: CN=elasticsearch.node
    ip: ip_addr
    clients:
  • name: admin
    dn: CN=admin
    admin: true

``

elasticsearch.yml:

cluster.name: elastic-cluster
node.name: elasticsearchNode
path.data: /elastic/data/elasticsearch
path.logs: /elastic/log/elasticsearch
bootstrap.memory_lock: true
network.host: ip_addr
http.port: 9200

searchguard.roles_mapping_resolution: BACKENDROLES_ONLY

searchguard.ssl.transport.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.transport.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.http.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: false
searchguard.authcz.admin_dn:

  • CN=admin

searchguard.ssl.http.enabled_protocols:

  • “TLSv1.2”
    searchguard.ssl.transport.enabled_protocols:
  • “TLSv1.2”

searchguard.enterprise_modules_enabled: false

``

Thanks in advance.

Which version of the offline tls tool did you use?

···

Am 18.12.2018 um 15:44 schrieb Jan Pešek <j.pesek97@gmail.com>:

Hi,
I am using elasticsearch 6.5.3 with searchguard 6-6.5.3-23.2. (jre1.8.0_181, CentOS Linux 7).

I used sgtool to generate node and CA certificate, but elastic won't start due to:

SSL Problem General OpenSslEngine problem javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In older 6.3.2 version were this steps and configurations ok. Also I put "netty-tcnative-openssl-1.1.0j-static-2.0.15.Final-fedora-linux-x86_64-plugins-search-guard-6" to plugins/search-guard-6/

certs_def.yml for sgtool:

ca:
  root:
    dn: CN=root.ca
    keysize: 4096
    pkPassword: auto
    validityDays: 3650
    file: root-ca
nodes:
  - name: elasticsearchNode
    dn: CN=elasticsearch.node
    ip: ip_addr
clients:
  - name: admin
    dn: CN=admin
    admin: true

elasticsearch.yml:

cluster.name: elastic-cluster
node.name: elasticsearchNode
path.data: /elastic/data/elasticsearch
path.logs: /elastic/log/elasticsearch
bootstrap.memory_lock: true
network.host: ip_addr
http.port: 9200

searchguard.roles_mapping_resolution: BACKENDROLES_ONLY

searchguard.ssl.transport.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.transport.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.http.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: false
searchguard.authcz.admin_dn:
  - CN=admin

searchguard.ssl.http.enabled_protocols:
  - "TLSv1.2"
searchguard.ssl.transport.enabled_protocols:
  - "TLSv1.2"

searchguard.enterprise_modules_enabled: false

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/70be8831-f7f5-402b-a745-d62f2e4ade96%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I’m using latest version search-guard-tlstool-1.5

That's pretty strange.

Can you post a more complete log file (from where the node starts) until the error happens with full stack trace included?
Please also try removing the tcnative jars from all nodes (and start them again) to so that we can see if this is a OpenSSL related problem or a general SSL problem.

···

Am 19.12.2018 um 19:40 schrieb emisar <j.pesek97@gmail.com>:

I'm using latest version search-guard-tlstool-1.5

Dne úterý 18. prosince 2018 20:22:58 UTC+1 Search Guard napsal(a):
Which version of the offline tls tool did you use?

>
> Hi,
> I am using elasticsearch 6.5.3 with searchguard 6-6.5.3-23.2. (jre1.8.0_181, CentOS Linux 7).
>
> I used sgtool to generate node and CA certificate, but elastic won't start due to:
>
> SSL Problem General OpenSslEngine problem javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>
> In older 6.3.2 version were this steps and configurations ok. Also I put "netty-tcnative-openssl-1.1.0j-static-2.0.15.Final-fedora-linux-x86_64-plugins-search-guard-6" to plugins/search-guard-6/
>
> certs_def.yml for sgtool:
>
> ca:
> root:
> dn: CN=root.ca
> keysize: 4096
> pkPassword: auto
> validityDays: 3650
> file: root-ca
> nodes:
> - name: elasticsearchNode
> dn: CN=elasticsearch.node
> ip: ip_addr
> clients:
> - name: admin
> dn: CN=admin
> admin: true
>
> elasticsearch.yml:
>
> cluster.name: elastic-cluster
> node.name: elasticsearchNode
> path.data: /elastic/data/elasticsearch
> path.logs: /elastic/log/elasticsearch
> bootstrap.memory_lock: true
> network.host: ip_addr
> http.port: 9200
>
> searchguard.roles_mapping_resolution: BACKENDROLES_ONLY
>
> searchguard.ssl.transport.pemcert_filepath: certs/elasticsearchNode.pem
> searchguard.ssl.transport.pemkey_filepath: certs/elasticsearchNode.key
> searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.transport.resolve_hostname: false
> searchguard.ssl.http.enabled: true
> searchguard.ssl.http.pemcert_filepath: certs/elasticsearchNode.pem
> searchguard.ssl.http.pemkey_filepath: certs/elasticsearchNode.key
> searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
> searchguard.allow_unsafe_democertificates: false
> searchguard.allow_default_init_sgindex: false
> searchguard.authcz.admin_dn:
> - CN=admin
>
> searchguard.ssl.http.enabled_protocols:
> - "TLSv1.2"
> searchguard.ssl.transport.enabled_protocols:
> - "TLSv1.2"
>
> searchguard.enterprise_modules_enabled: false
>
> Thanks in advance.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/70be8831-f7f5-402b-a745-d62f2e4ade96%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db7f08d2-aecf-4161-b40b-f8722ab03e12%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I found out, error comes only if I try to run multinode cluster and error is thrown when zen.pinging.
My bad, the others nodes has different CA, because of older elastic running on same port
I hate to bother you. Thanks for your time.