With my elasticsearch (with search guard) running, I’m trying to actually query something using my certificate.
[root@hostname scripts]# curl -vk --cacert /path/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values
-
About to connect() to hostname.domain port 9201 (#0)
-
Trying 9.21.63.21…
-
Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
-
Initializing NSS with certpath: sql:/etc/pki/nssdb
-
skipping SSL peer certificate verification
-
NSS: client certificate not found (nickname not specified)
-
NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
-
SSL peer cannot verify your certificate.
-
Closing connection 0
curl: (58) NSS: client certificate not found (nickname not specified)
[root@hostname scripts]# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets
But it seems that it’s trying to use the NSS database for certificate/key info. I don’t touch the NSS database, and I don’t want it to do this, and other things that I use curl on for this host don’t have this problem. Is this an elasticsearch configuration that I can change?
I have no experience with NSS, we recommend to use a curl binary compiled against openssl instead of NSS.
Thats nothing Search Guard can change or influence. You can also try wget or HTTPie instead of curl.
See also:
https://github.com/floragunncom/search-guard/issues/272
https://groups.google.com/forum/#!searchin/search-guard/nss$20curl|sort:relevance
···
Am 13.07.2017 um 19:42 schrieb Steve Haertel <stevehaertel@gmail.com>:
My elasticsearch openssl config was "false", so I restarted it and set it to "true"
Now I get ...
[root@stevew scripts]# curl -v -cacert /PATH/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed
* About to connect() to hostname.domain port 9201 (#0)
* Trying 9.21.63.21...
* Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=*.SCRUBBED_DOMAIN,O=ORG,C=CA
* start date: Jul 12 17:36:22 2017 GMT
* expire date: Jul 11 17:36:22 2020 GMT
* common name: *.SCRUBBED_DOMAIN
* issuer: CN=SCRUBBED_ISSUER (SHA256),O=ORG,C=CA
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: curl - SSL CA Certificates
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
It's telling me to use the insecure option, but I'm trying to figure out a way to get it to accept the cert... do I have to add to that NSS bundle?
--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f199fd0-025f-4278-bc6d-0964959028d3%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
Thanks very much. I’m re-doing my curl/openssl as we speak.
···
On Thursday, July 13, 2017 at 2:25:37 PM UTC-4, Search Guard wrote:
I have no experience with NSS, we recommend to use a curl binary compiled against openssl instead of NSS.
Thats nothing Search Guard can change or influence. You can also try wget or HTTPie instead of curl.
See also:
https://github.com/floragunncom/search-guard/issues/272
https://groups.google.com/forum/#!searchin/search-guard/nss$20curl%7Csort:relevance
Am 13.07.2017 um 19:42 schrieb Steve Haertel steveh...@gmail.com:
My elasticsearch openssl config was “false”, so I restarted it and set it to “true”
Now I get …
[root@stevew scripts]# curl -v -cacert /PATH/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values
curl: (3) malformed
- About to connect() to hostname.domain port 9201 (#0)
- Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
- NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
- Peer’s Certificate issuer is not recognized.
curl: (60) Peer’s Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.
It’s telling me to use the insecure option, but I’m trying to figure out a way to get it to accept the cert… do I have to add to that NSS bundle?
–
You received this message because you are subscribed to the Google Groups “Search Guard” group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f199fd0-025f-4278-bc6d-0964959028d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I must be getting closer… The handshake is happening and finishing…
[root@stevew tmp]# curl -v --cacert /PATH/cacert.pem https://hostname.domain:9201/_cluster/health?otherstuff=values
-
Trying XXX.XXX.XXX.XXX…
-
TCP_NODELAY set
-
Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
-
ALPN, offering http/1.1
-
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
-
successfully set certificate verify locations:
-
CAfile: /PATH/cacert.pem
CApath: none
-
TLSv1.2 (OUT), TLS header, Certificate Status (22):
-
TLSv1.2 (OUT), TLS handshake, Client hello (1):
-
TLSv1.2 (IN), TLS handshake, Server hello (2):
-
TLSv1.2 (IN), TLS handshake, Certificate (11):
-
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
-
TLSv1.2 (IN), TLS handshake, Request CERT (13):
-
TLSv1.2 (IN), TLS handshake, Server finished (14):
-
TLSv1.2 (OUT), TLS handshake, Certificate (11):
-
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
-
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
-
TLSv1.2 (OUT), TLS handshake, Finished (20):
-
TLSv1.2 (IN), TLS alert, Server hello (2):
-
error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
-
Closing connection 0
curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
SOLVED!
I got my curl calls working to my elasticsearch.
I had to generate a p12 file from my keystore, and THEN extract a .key/cert.pem pair, and then use --key and --cert on the curl command with those 2 files, instead of using the --cacert option with my cacert.pem file!