Is it possible to configure elasticsearch/search guard to not make curl try to look for NSS certs?

With my elasticsearch (with search guard) running, I’m trying to actually query something using my certificate.

[root@hostname scripts]# curl -vk --cacert /path/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values

  • About to connect() to hostname.domain port 9201 (#0)

  • Trying 9.21.63.21…

  • Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)

  • Initializing NSS with certpath: sql:/etc/pki/nssdb

  • skipping SSL peer certificate verification

  • NSS: client certificate not found (nickname not specified)

  • NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)

  • SSL peer cannot verify your certificate.

  • Closing connection 0

curl: (58) NSS: client certificate not found (nickname not specified)

[root@hostname scripts]# curl -V

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3

Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp

Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

But it seems that it’s trying to use the NSS database for certificate/key info. I don’t touch the NSS database, and I don’t want it to do this, and other things that I use curl on for this host don’t have this problem. Is this an elasticsearch configuration that I can change?

I have no experience with NSS, we recommend to use a curl binary compiled against openssl instead of NSS.
Thats nothing Search Guard can change or influence. You can also try wget or HTTPie instead of curl.

See also:
https://github.com/floragunncom/search-guard/issues/272
https://groups.google.com/forum/#!searchin/search-guard/nss$20curl|sort:relevance

···

Am 13.07.2017 um 19:42 schrieb Steve Haertel <stevehaertel@gmail.com>:

My elasticsearch openssl config was "false", so I restarted it and set it to "true"

Now I get ...

[root@stevew scripts]# curl -v -cacert /PATH/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed
* About to connect() to hostname.domain port 9201 (#0)
* Trying 9.21.63.21...
* Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* subject: CN=*.SCRUBBED_DOMAIN,O=ORG,C=CA
* start date: Jul 12 17:36:22 2017 GMT
* expire date: Jul 11 17:36:22 2020 GMT
* common name: *.SCRUBBED_DOMAIN
* issuer: CN=SCRUBBED_ISSUER (SHA256),O=ORG,C=CA
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peer's Certificate issuer is not recognized.
* Closing connection 0
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

It's telling me to use the insecure option, but I'm trying to figure out a way to get it to accept the cert... do I have to add to that NSS bundle?

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f199fd0-025f-4278-bc6d-0964959028d3%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thanks very much. I’m re-doing my curl/openssl as we speak.

···

On Thursday, July 13, 2017 at 2:25:37 PM UTC-4, Search Guard wrote:

I have no experience with NSS, we recommend to use a curl binary compiled against openssl instead of NSS.

Thats nothing Search Guard can change or influence. You can also try wget or HTTPie instead of curl.

See also:

https://github.com/floragunncom/search-guard/issues/272

https://groups.google.com/forum/#!searchin/search-guard/nss$20curl%7Csort:relevance

Am 13.07.2017 um 19:42 schrieb Steve Haertel steveh...@gmail.com:

My elasticsearch openssl config was “false”, so I restarted it and set it to “true”

Now I get …

[root@stevew scripts]# curl -v -cacert /PATH/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values

  • malformed
  • Closing connection -1

curl: (3) malformed

  • About to connect() to hostname.domain port 9201 (#0)
  • Trying 9.21.63.21…
  • Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt

CApath: none

  • Server certificate:
  •   subject: CN=*.SCRUBBED_DOMAIN,O=ORG,C=CA
    
  •   start date: Jul 12 17:36:22 2017 GMT
    
  •   expire date: Jul 11 17:36:22 2020 GMT
    
  •   common name: *.SCRUBBED_DOMAIN
    
  •   issuer: CN=SCRUBBED_ISSUER (SHA256),O=ORG,C=CA
    
  • NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
  • Peer’s Certificate issuer is not recognized.
  • Closing connection 0

curl: (60) Peer’s Certificate issuer is not recognized.

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”

of Certificate Authority (CA) public keys (CA certs). If the default

bundle file isn’t adequate, you can specify an alternate file

using the --cacert option.

If this HTTPS server uses a certificate signed by a CA represented in

the bundle, the certificate verification probably failed due to a

problem with the certificate (it might be expired, or the name might

not match the domain name in the URL).

If you’d like to turn off curl’s verification of the certificate, use

the -k (or --insecure) option.

It’s telling me to use the insecure option, but I’m trying to figure out a way to get it to accept the cert… do I have to add to that NSS bundle?


You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f199fd0-025f-4278-bc6d-0964959028d3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

I must be getting closer… The handshake is happening and finishing…

[root@stevew tmp]# curl -v --cacert /PATH/cacert.pem https://hostname.domain:9201/_cluster/health?otherstuff=values

  • Trying XXX.XXX.XXX.XXX…

  • TCP_NODELAY set

  • Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)

  • ALPN, offering http/1.1

  • Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

  • successfully set certificate verify locations:

  • CAfile: /PATH/cacert.pem

CApath: none

  • TLSv1.2 (OUT), TLS header, Certificate Status (22):

  • TLSv1.2 (OUT), TLS handshake, Client hello (1):

  • TLSv1.2 (IN), TLS handshake, Server hello (2):

  • TLSv1.2 (IN), TLS handshake, Certificate (11):

  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):

  • TLSv1.2 (IN), TLS handshake, Request CERT (13):

  • TLSv1.2 (IN), TLS handshake, Server finished (14):

  • TLSv1.2 (OUT), TLS handshake, Certificate (11):

  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):

  • TLSv1.2 (OUT), TLS handshake, Finished (20):

  • TLSv1.2 (IN), TLS alert, Server hello (2):

  • error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

  • Closing connection 0

curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

SOLVED!

I got my curl calls working to my elasticsearch.

I had to generate a p12 file from my keystore, and THEN extract a .key/cert.pem pair, and then use --key and --cert on the curl command with those 2 files, instead of using the --cacert option with my cacert.pem file!

thx for sharing this

···

On Thursday, 13 July 2017 22:22:30 UTC+2, Steve Haertel wrote:

SOLVED!

I got my curl calls working to my elasticsearch.

I had to generate a p12 file from my keystore, and THEN extract a .key/cert.pem pair, and then use --key and --cert on the curl command with those 2 files, instead of using the --cacert option with my cacert.pem file!