Hi,
I am using elasticsearch 6.5.3 with searchguard 6-6.5.3-23.2. (jre1.8.0_181, CentOS Linux 7).
I used sgtool to generate node and CA certificate, but elastic won’t start due to:
SSL Problem General OpenSslEngine problem javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
…
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
``
In older 6.3.2 version were this steps and configurations ok. Also I put “netty-tcnative-openssl-1.1.0j-static-2.0.15.Final-fedora-linux-x86_64-plugins-search-guard-6” to plugins/search-guard-6/
certs_def.yml for sgtool:
ca:
root:
dn: CN=root.ca
keysize: 4096
pkPassword: auto
validityDays: 3650
file: root-ca
nodes:
- name: elasticsearchNode
dn: CN=elasticsearch.node
ip: ip_addr
clients:
- name: admin
dn: CN=admin
admin: true
``
elasticsearch.yml:
cluster.name: elastic-cluster
node.name: elasticsearchNode
path.data: /elastic/data/elasticsearch
path.logs: /elastic/log/elasticsearch
bootstrap.memory_lock: true
network.host: ip_addr
http.port: 9200
searchguard.roles_mapping_resolution: BACKENDROLES_ONLY
searchguard.ssl.transport.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.transport.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.http.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: false
searchguard.authcz.admin_dn:
searchguard.ssl.http.enabled_protocols:
- “TLSv1.2”
searchguard.ssl.transport.enabled_protocols:
- “TLSv1.2”
searchguard.enterprise_modules_enabled: false
``
Thanks in advance.
Which version of the offline tls tool did you use?
···
Am 18.12.2018 um 15:44 schrieb Jan Pešek <j.pesek97@gmail.com>:
Hi,
I am using elasticsearch 6.5.3 with searchguard 6-6.5.3-23.2. (jre1.8.0_181, CentOS Linux 7).
I used sgtool to generate node and CA certificate, but elastic won't start due to:
SSL Problem General OpenSslEngine problem javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In older 6.3.2 version were this steps and configurations ok. Also I put "netty-tcnative-openssl-1.1.0j-static-2.0.15.Final-fedora-linux-x86_64-plugins-search-guard-6" to plugins/search-guard-6/
certs_def.yml for sgtool:
ca:
root:
dn: CN=root.ca
keysize: 4096
pkPassword: auto
validityDays: 3650
file: root-ca
nodes:
- name: elasticsearchNode
dn: CN=elasticsearch.node
ip: ip_addr
clients:
- name: admin
dn: CN=admin
admin: true
elasticsearch.yml:
cluster.name: elastic-cluster
node.name: elasticsearchNode
path.data: /elastic/data/elasticsearch
path.logs: /elastic/log/elasticsearch
bootstrap.memory_lock: true
network.host: ip_addr
http.port: 9200
searchguard.roles_mapping_resolution: BACKENDROLES_ONLY
searchguard.ssl.transport.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.transport.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certs/elasticsearchNode.pem
searchguard.ssl.http.pemkey_filepath: certs/elasticsearchNode.key
searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
searchguard.allow_unsafe_democertificates: false
searchguard.allow_default_init_sgindex: false
searchguard.authcz.admin_dn:
- CN=admin
searchguard.ssl.http.enabled_protocols:
- "TLSv1.2"
searchguard.ssl.transport.enabled_protocols:
- "TLSv1.2"
searchguard.enterprise_modules_enabled: false
Thanks in advance.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/70be8831-f7f5-402b-a745-d62f2e4ade96%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
I’m using latest version search-guard-tlstool-1.5
That's pretty strange.
Can you post a more complete log file (from where the node starts) until the error happens with full stack trace included?
Please also try removing the tcnative jars from all nodes (and start them again) to so that we can see if this is a OpenSSL related problem or a general SSL problem.
···
Am 19.12.2018 um 19:40 schrieb emisar <j.pesek97@gmail.com>:
I'm using latest version search-guard-tlstool-1.5
Dne úterý 18. prosince 2018 20:22:58 UTC+1 Search Guard napsal(a):
Which version of the offline tls tool did you use?
>
> Hi,
> I am using elasticsearch 6.5.3 with searchguard 6-6.5.3-23.2. (jre1.8.0_181, CentOS Linux 7).
>
> I used sgtool to generate node and CA certificate, but elastic won't start due to:
>
> SSL Problem General OpenSslEngine problem javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
> ...
> Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
>
> In older 6.3.2 version were this steps and configurations ok. Also I put "netty-tcnative-openssl-1.1.0j-static-2.0.15.Final-fedora-linux-x86_64-plugins-search-guard-6" to plugins/search-guard-6/
>
> certs_def.yml for sgtool:
>
> ca:
> root:
> dn: CN=root.ca
> keysize: 4096
> pkPassword: auto
> validityDays: 3650
> file: root-ca
> nodes:
> - name: elasticsearchNode
> dn: CN=elasticsearch.node
> ip: ip_addr
> clients:
> - name: admin
> dn: CN=admin
> admin: true
>
> elasticsearch.yml:
>
> cluster.name: elastic-cluster
> node.name: elasticsearchNode
> path.data: /elastic/data/elasticsearch
> path.logs: /elastic/log/elasticsearch
> bootstrap.memory_lock: true
> network.host: ip_addr
> http.port: 9200
>
> searchguard.roles_mapping_resolution: BACKENDROLES_ONLY
>
> searchguard.ssl.transport.pemcert_filepath: certs/elasticsearchNode.pem
> searchguard.ssl.transport.pemkey_filepath: certs/elasticsearchNode.key
> searchguard.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
> searchguard.ssl.transport.enforce_hostname_verification: false
> searchguard.ssl.transport.resolve_hostname: false
> searchguard.ssl.http.enabled: true
> searchguard.ssl.http.pemcert_filepath: certs/elasticsearchNode.pem
> searchguard.ssl.http.pemkey_filepath: certs/elasticsearchNode.key
> searchguard.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
> searchguard.allow_unsafe_democertificates: false
> searchguard.allow_default_init_sgindex: false
> searchguard.authcz.admin_dn:
> - CN=admin
>
> searchguard.ssl.http.enabled_protocols:
> - "TLSv1.2"
> searchguard.ssl.transport.enabled_protocols:
> - "TLSv1.2"
>
> searchguard.enterprise_modules_enabled: false
>
> Thanks in advance.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/70be8831-f7f5-402b-a745-d62f2e4ade96%40googlegroups.com\.
> For more options, visit https://groups.google.com/d/optout\.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/db7f08d2-aecf-4161-b40b-f8722ab03e12%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
I found out, error comes only if I try to run multinode cluster and error is thrown when zen.pinging.
My bad, the others nodes has different CA, because of older elastic running on same port
I hate to bother you. Thanks for your time.