Issue Running SGAdmin

All-
We’re attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

 

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we're seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAction] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’
This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?
Thanks!
Ben

Additionally, I’ve upgraded to V5, and can now see that requests are apparently timing out on 9300?

[2016-08-11 03:06:34,383][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (first object) due to null (null means timeout)

[2016-08-11 03:06:34,384][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (first object) due to timeout

Which is very strange to me, considering the script reports that it can connect over 9300, and I can see that come through in the logs.

Will connect to localhost:9300 … done

Contacting elasticsearch cluster ‘SHU’ and wait for YELLOW clusterstate …

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

Search Guard index already exists, so we do not need to create one.

Am I vastly misunderstanding whats going on here?

···

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-
We’re attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

 

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.

TransportConfigUpdateAction] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’
This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?
Thanks!
Ben

Thats sounds strange (you may also look here https://github.com/floragunncom/search-guard/issues/182 ,seems to be related)

Can you provide

  • Full elasticsearch logfile on DEBUG level (from elasticsearch start point until sgadmin finished + one or two minutes)

  • Full output of sgadmin

  • Your elasticsearch.yml

  • Operating system and JVM version/vendor

Can you also try if this works for you: https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

···

On Thursday, 11 August 2016 05:09:40 UTC+2, Benjamin Shoemaker wrote:

Additionally, I’ve upgraded to V5, and can now see that requests are apparently timing out on 9300?

[2016-08-11 03:06:34,383][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (first object) due to null (null means timeout)

[2016-08-11 03:06:34,384][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (first object) due to timeout

Which is very strange to me, considering the script reports that it can connect over 9300, and I can see that come through in the logs.

Will connect to localhost:9300 … done

Contacting elasticsearch cluster ‘SHU’ and wait for YELLOW clusterstate …

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

Search Guard index already exists, so we do not need to create one.

Am I vastly misunderstanding whats going on here?

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-
We’re attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

 

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.

TransportConfigUpdateAction] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’
This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?
Thanks!
Ben

Yep - files are attached.

We’re running:
Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version “1.8.0_91”

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don’t think those are necessarily a symptom.

Its also worth noting that I’ve tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!
Ben

sgadmin_output.rtf (1.78 KB)

SHU.log (259 KB)

elasticsearch.yml (4.15 KB)

···

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-
We’re attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

 

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.

TransportConfigUpdateAction] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’
This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?
Thanks!
Ben

can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip

···

On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:

Yep - files are attached.

We’re running:
Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version “1.8.0_91”

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don’t think those are necessarily a symptom.

Its also worth noting that I’ve tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!
Ben

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-
We’re attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

 

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.

TransportConfigUpdateAction] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’
This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?
Thanks!
Ben

Unfortunately, no luck there. I’m getting ‘Generic Error’ timeouts, now.

Thank you for the suggestion, though!

-Ben

[2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers

[2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

[2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request

[2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups

[2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

···

On Thu, Aug 11, 2016 at 10:21 AM, info@search-guard.com wrote:

can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip

On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:

Yep - files are attached.

We’re running:
Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version “1.8.0_91”

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don’t think those are necessarily a symptom.

Its also worth noting that I’ve tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!
Ben

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-
We’re attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

 

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only []

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc

tion] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’
This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?
Thanks!
Ben

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

maybe i found something, seems like the node ssl certificate does not have the right san.
How to you generated the certificates?

pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip

and look for debug output like:

[2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

···

Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:

Unfortunately, no luck there. I'm getting 'Generic Error' timeouts, now.

Thank you for the suggestion, though!

-Ben

[2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers

[2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

[2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request

[2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups

[2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

On Thu, Aug 11, 2016 at 10:21 AM, <info@search-guard.com> wrote:
can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip

On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:
Yep - files are attached.

We're running:
Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version "1.8.0_91"

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don't think those are necessarily a symptom.

Its also worth noting that I've tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!
Ben

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:
All-
We're attempting to implement SearchGuard.
We seem to have the SearchGuard-SSL side working pretty well - if search guard isn't up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that 'Search Guard not initialized (SG11)' , and we start seeing '[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized' in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we're seeing the following:

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

   SUCC Configuration for 'config' created or updated

Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

   SUCC Configuration for 'roles' created or updated

Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

   SUCC Configuration for 'rolesmapping' created or updated

Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

   SUCC Configuration for 'internalusers' created or updated

Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

   SUCC Configuration for 'actiongroups' created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only

Done with failures

In the logs, all we're seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc
tion] [Vader] Unable to load all configurations types. Loaded '' but should '[config, roles, rolesmapping, internalusers, actiongroups]'

This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I'm doing something incorrect - any thoughts?

Thanks!
Ben

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

I generated the certs with the example.sh script from search-guard-ssl.

Should I be attempting to run the sgadmin.sh script with the ‘kirk’ certificate, or the node-0 certificate?
I’ve added both to elasticsearch.yml as valid admin dn’s.

An example log is attached (using node-0 keystore)

Thanks,
Ben

SHU3.log (773 KB)

···

On Thu, Aug 11, 2016 at 11:34 AM, SG info@search-guard.com wrote:

Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker bshoemaker@setonhill.edu:

Unfortunately, no luck there. I’m getting ‘Generic Error’ timeouts, now.

Thank you for the suggestion, though!

-Ben

[2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers

[2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

[2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request

[2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups

[2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

On Thu, Aug 11, 2016 at 10:21 AM, info@search-guard.com wrote:

can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip

On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:

Yep - files are attached.

We’re running:

Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version “1.8.0_91”

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don’t think those are necessarily a symptom.

Its also worth noting that I’ve tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!

Ben

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-

We’re attempting to implement SearchGuard.

We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it … done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

SUCC Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

SUCC Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

SUCC Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

SUCC Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

SUCC Configuration for ‘actiongroups’ created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc

tion] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’

This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?

Thanks!

Ben

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker

Programmer/Analyst

bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely

for the use of the addressee. If you received it in error, please contact

the sender at once and destroy the document. The document may contain

information subject to restrictions of the Family Educational Rights and

Privacy and the Gramm-Leach-Bliley Acts. Such information may not be

disclosed or used in any fashion outside the scope of the service for which

you are receiving the information.

For more options, visit https://groups.google.com/d/optout.

maybe i found something, seems like the node ssl certificate does not have the right san.

How to you generated the certificates?

pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip

and look for debug output like:

[2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.

Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

with the kirk certificate - does this work?

···

Am 11.08.2016 um 17:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:

I generated the certs with the example.sh script from search-guard-ssl.

Should I be attempting to run the sgadmin.sh script with the 'kirk' certificate, or the node-0 certificate?
I've added both to elasticsearch.yml as valid admin dn's.

An example log is attached (using node-0 keystore)

Thanks,
Ben

On Thu, Aug 11, 2016 at 11:34 AM, SG <info@search-guard.com> wrote:
maybe i found something, seems like the node ssl certificate does not have the right san.
How to you generated the certificates?

pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip

and look for debug output like:

[2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

> Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:
>
> Unfortunately, no luck there. I'm getting 'Generic Error' timeouts, now.
>
> Thank you for the suggestion, though!
>
> -Ben
>
> [2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]
>
> [2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers
>
> [2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/
>
> [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context
>
> [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]
>
> [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null
>
> [2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found
>
> [2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request
>
> [2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]
>
> [2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups
>
> [2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/
>
> [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context
>
> [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]
>
> [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null
>
> [2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found
>
>
>
>
>
>
>
>
> On Thu, Aug 11, 2016 at 10:21 AM, <info@search-guard.com> wrote:
> can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip
>
> On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:
> Yep - files are attached.
>
> We're running:
> Distributor ID: Ubuntu
>
> Description: Ubuntu 16.04.1 LTS
>
> Release: 16.04
>
> Codename: xenial
>
>
> openjdk version "1.8.0_91"
>
> OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)
>
> OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
>
>
>
>
>
> The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don't think those are necessarily a symptom.
>
>
>
> Its also worth noting that I've tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.
>
>
>
> Thanks!
> Ben
>
>
> On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:
> All-
> We're attempting to implement SearchGuard.
> We seem to have the SearchGuard-SSL side working pretty well - if search guard isn't up, we can serve the REST API over HTTPS.
>
> However, as soon as SearchGuard is installed, the API starts complaining that 'Search Guard not initialized (SG11)' , and we start seeing '[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized' in the logs.
>
> Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.
>
> However, when we attempted to run the scripts, we're seeing the following:
>
>
>
> root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv
>
> Connect to localhost:9300
>
> Clustername: SHU
>
> Clusterstate: YELLOW
>
> Number of nodes: 1
>
> Number of data nodes: 1
>
> searchguard index does not exists, attempt to create it ... done
>
> Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
>
> Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml
>
> SUCC Configuration for 'config' created or updated
>
> Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml
>
> SUCC Configuration for 'roles' created or updated
>
> Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
>
> SUCC Configuration for 'rolesmapping' created or updated
>
> Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml
>
> SUCC Configuration for 'internalusers' created or updated
>
> Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml
>
> SUCC Configuration for 'actiongroups' created or updated
>
> FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only
>
> Done with failures
>
>
> In the logs, all we're seeing is:
>
> [2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:
>
> Context:
>
> [cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null
>
> [cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null
>
>
>
> [2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized
>
> [2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc
> tion] [Vader] Unable to load all configurations types. Loaded '' but should '[config, roles, rolesmapping, internalusers, actiongroups]'
>
>
>
> This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I'm doing something incorrect - any thoughts?
>
>
> Thanks!
> Ben
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoemaker@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

--
Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
<SHU3.log>

No, the kirk certificate provides the same results, as far as I can tell.

-Ben

···

On Thu, Aug 11, 2016 at 12:23 PM, SG info@search-guard.com wrote:

with the kirk certificate - does this work?

Am 11.08.2016 um 17:58 schrieb Benjamin Shoemaker bshoemaker@setonhill.edu:

I generated the certs with the example.sh script from search-guard-ssl.

Should I be attempting to run the sgadmin.sh script with the ‘kirk’ certificate, or the node-0 certificate?

I’ve added both to elasticsearch.yml as valid admin dn’s.

An example log is attached (using node-0 keystore)

Thanks,

Ben

On Thu, Aug 11, 2016 at 11:34 AM, SG info@search-guard.com wrote:

maybe i found something, seems like the node ssl certificate does not have the right san.

How to you generated the certificates?

pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip

and look for debug output like:

[2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker bshoemaker@setonhill.edu:

Unfortunately, no luck there. I’m getting ‘Generic Error’ timeouts, now.

Thank you for the suggestion, though!

-Ben

[2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers

[2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

[2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request

[2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups

[2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

On Thu, Aug 11, 2016 at 10:21 AM, info@search-guard.com wrote:

can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip

On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:

Yep - files are attached.

We’re running:

Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version “1.8.0_91”

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don’t think those are necessarily a symptom.

Its also worth noting that I’ve tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!

Ben

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-

We’re attempting to implement SearchGuard.

We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it … done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

SUCC Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

SUCC Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

SUCC Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

SUCC Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

SUCC Configuration for ‘actiongroups’ created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc

tion] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’

This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?

Thanks!

Ben

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker

Programmer/Analyst

bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely

for the use of the addressee. If you received it in error, please contact

the sender at once and destroy the document. The document may contain

information subject to restrictions of the Family Educational Rights and

Privacy and the Gramm-Leach-Bliley Acts. Such information may not be

disclosed or used in any fashion outside the scope of the service for which

you are receiving the information.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker

Programmer/Analyst

bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely

for the use of the addressee. If you received it in error, please contact

the sender at once and destroy the document. The document may contain

information subject to restrictions of the Family Educational Rights and

Privacy and the Gramm-Leach-Bliley Acts. Such information may not be

disclosed or used in any fashion outside the scope of the service for which

you are receiving the information.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

<SHU3.log>

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

does https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle work?

If not can you try using oracle jdk (instead of openjdk)?

···

Am 11.08.2016 um 18:26 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:

No, the kirk certificate provides the same results, as far as I can tell.

-Ben

On Thu, Aug 11, 2016 at 12:23 PM, SG <info@search-guard.com> wrote:
with the kirk certificate - does this work?

> Am 11.08.2016 um 17:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:
>
> I generated the certs with the example.sh script from search-guard-ssl.
>
> Should I be attempting to run the sgadmin.sh script with the 'kirk' certificate, or the node-0 certificate?
> I've added both to elasticsearch.yml as valid admin dn's.
>
>
> An example log is attached (using node-0 keystore)
>
> Thanks,
> Ben
>
>
> On Thu, Aug 11, 2016 at 11:34 AM, SG <info@search-guard.com> wrote:
> maybe i found something, seems like the node ssl certificate does not have the right san.
> How to you generated the certificates?
>
> pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip
>
> and look for debug output like:
>
> [2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4
> [2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
> [2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1
> [2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
> [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
> [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null
> [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
> [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
> [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
> [2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
> [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> [2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509
> [2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1
> [2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
> [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null
> [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null
> [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
> [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null
> [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
> [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
> [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
>
>
>
> > Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:
> >
> > Unfortunately, no luck there. I'm getting 'Generic Error' timeouts, now.
> >
> > Thank you for the suggestion, though!
> >
> > -Ben
> >
> > [2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]
> >
> > [2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers
> >
> > [2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/
> >
> > [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context
> >
> > [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]
> >
> > [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null
> >
> > [2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found
> >
> > [2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request
> >
> > [2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]
> >
> > [2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups
> >
> > [2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/
> >
> > [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context
> >
> > [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]
> >
> > [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null
> >
> > [2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found
> >
> >
> >
> >
> >
> >
> >
> >
> > On Thu, Aug 11, 2016 at 10:21 AM, <info@search-guard.com> wrote:
> > can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip
> >
> > On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:
> > Yep - files are attached.
> >
> > We're running:
> > Distributor ID: Ubuntu
> >
> > Description: Ubuntu 16.04.1 LTS
> >
> > Release: 16.04
> >
> > Codename: xenial
> >
> >
> > openjdk version "1.8.0_91"
> >
> > OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)
> >
> > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
> >
> >
> >
> >
> >
> > The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don't think those are necessarily a symptom.
> >
> >
> >
> > Its also worth noting that I've tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.
> >
> >
> >
> > Thanks!
> > Ben
> >
> >
> > On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:
> > All-
> > We're attempting to implement SearchGuard.
> > We seem to have the SearchGuard-SSL side working pretty well - if search guard isn't up, we can serve the REST API over HTTPS.
> >
> > However, as soon as SearchGuard is installed, the API starts complaining that 'Search Guard not initialized (SG11)' , and we start seeing '[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized' in the logs.
> >
> > Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.
> >
> > However, when we attempted to run the scripts, we're seeing the following:
> >
> >
> >
> > root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv
> >
> > Connect to localhost:9300
> >
> > Clustername: SHU
> >
> > Clusterstate: YELLOW
> >
> > Number of nodes: 1
> >
> > Number of data nodes: 1
> >
> > searchguard index does not exists, attempt to create it ... done
> >
> > Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
> >
> > Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml
> >
> > SUCC Configuration for 'config' created or updated
> >
> > Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml
> >
> > SUCC Configuration for 'roles' created or updated
> >
> > Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
> >
> > SUCC Configuration for 'rolesmapping' created or updated
> >
> > Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml
> >
> > SUCC Configuration for 'internalusers' created or updated
> >
> > Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml
> >
> > SUCC Configuration for 'actiongroups' created or updated
> >
> > FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only
> >
> > Done with failures
> >
> >
> > In the logs, all we're seeing is:
> >
> > [2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:
> >
> > Context:
> >
> > [cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null
> >
> > [cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null
> >
> >
> >
> > [2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized
> >
> > [2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc
> > tion] [Vader] Unable to load all configurations types. Loaded '' but should '[config, roles, rolesmapping, internalusers, actiongroups]'
> >
> >
> >
> > This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I'm doing something incorrect - any thoughts?
> >
> >
> > Thanks!
> > Ben
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
> > To post to this group, send email to search-guard@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoemaker@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> > To post to this group, send email to search-guard@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoemaker@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
> <SHU3.log>

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

--
Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J9eDSPckjpnCz1K1i2fQGCZiVzTgFEUVpsEumivncOy_Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

No luck.
I tried the search guard bundle, and then Oracle JDK w/ search guard bundle, and got the same results.

It makes me think there is some sort of network issue going on.

Is there a list of ports that need to be available? I had assumed just 9200 & 9300?

Is there a supported java version?

-Ben

-Ben

···

On Thu, Aug 11, 2016 at 12:32 PM, SG info@search-guard.com wrote:

does https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle work?

If not can you try using oracle jdk (instead of openjdk)?

Am 11.08.2016 um 18:26 schrieb Benjamin Shoemaker bshoemaker@setonhill.edu:

No, the kirk certificate provides the same results, as far as I can tell.

-Ben

On Thu, Aug 11, 2016 at 12:23 PM, SG info@search-guard.com wrote:

with the kirk certificate - does this work?

Am 11.08.2016 um 17:58 schrieb Benjamin Shoemaker bshoemaker@setonhill.edu:

I generated the certs with the example.sh script from search-guard-ssl.

Should I be attempting to run the sgadmin.sh script with the ‘kirk’ certificate, or the node-0 certificate?

I’ve added both to elasticsearch.yml as valid admin dn’s.

An example log is attached (using node-0 keystore)

Thanks,

Ben

On Thu, Aug 11, 2016 at 11:34 AM, SG info@search-guard.com wrote:

maybe i found something, seems like the node ssl certificate does not have the right san.

How to you generated the certificates?

pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip

and look for debug output like:

[2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]

[2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com

[2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA

Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker bshoemaker@setonhill.edu:

Unfortunately, no luck there. I’m getting ‘Generic Error’ timeouts, now.

Thank you for the suggestion, though!

-Ben

[2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers

[2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

[2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request

[2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]

[2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups

[2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]

[2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null

[2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found

On Thu, Aug 11, 2016 at 10:21 AM, info@search-guard.com wrote:

can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip

On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:

Yep - files are attached.

We’re running:

Distributor ID: Ubuntu

Description: Ubuntu 16.04.1 LTS

Release: 16.04

Codename: xenial

openjdk version “1.8.0_91”

OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)

OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)

The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don’t think those are necessarily a symptom.

Its also worth noting that I’ve tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.

Thanks!

Ben

On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:

All-

We’re attempting to implement SearchGuard.

We seem to have the SearchGuard-SSL side working pretty well - if search guard isn’t up, we can serve the REST API over HTTPS.

However, as soon as SearchGuard is installed, the API starts complaining that ‘Search Guard not initialized (SG11)’ , and we start seeing ‘[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized’ in the logs.

Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.

However, when we attempted to run the scripts, we’re seeing the following:

root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv

Connect to localhost:9300

Clustername: SHU

Clusterstate: YELLOW

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it … done

Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/

Will update ‘config’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml

SUCC Configuration for ‘config’ created or updated

Will update ‘roles’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml

SUCC Configuration for ‘roles’ created or updated

Will update ‘rolesmapping’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml

SUCC Configuration for ‘rolesmapping’ created or updated

Will update ‘internalusers’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml

SUCC Configuration for ‘internalusers’ created or updated

Will update ‘actiongroups’ with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml

SUCC Configuration for ‘actiongroups’ created or updated

FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only

Done with failures

In the logs, all we’re seeing is:

[2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:

Context:

[cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null

[cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null

[2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized

[2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc

tion] [Vader] Unable to load all configurations types. Loaded ‘’ but should ‘[config, roles, rolesmapping, internalusers, actiongroups]’

This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I’m doing something incorrect - any thoughts?

Thanks!

Ben

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker

Programmer/Analyst

bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely

for the use of the addressee. If you received it in error, please contact

the sender at once and destroy the document. The document may contain

information subject to restrictions of the Family Educational Rights and

Privacy and the Gramm-Leach-Bliley Acts. Such information may not be

disclosed or used in any fashion outside the scope of the service for which

you are receiving the information.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker

Programmer/Analyst

bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely

for the use of the addressee. If you received it in error, please contact

the sender at once and destroy the document. The document may contain

information subject to restrictions of the Family Educational Rights and

Privacy and the Gramm-Leach-Bliley Acts. Such information may not be

disclosed or used in any fashion outside the scope of the service for which

you are receiving the information.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

<SHU3.log>

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker

Programmer/Analyst

bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely

for the use of the addressee. If you received it in error, please contact

the sender at once and destroy the document. The document may contain

information subject to restrictions of the Family Educational Rights and

Privacy and the Gramm-Leach-Bliley Acts. Such information may not be

disclosed or used in any fashion outside the scope of the service for which

you are receiving the information.

You received this message because you are subscribed to the Google Groups “Search Guard” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J9eDSPckjpnCz1K1i2fQGCZiVzTgFEUVpsEumivncOy_Q%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/629B1A96-6E47-4393-9641-E70A884A10BC%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

Just to be sure: The search guard bundle worked or not?

Regarding network: 9200 and 9300 is normally ok but from the logs i saw you that you only one node?

Regarding JVM: Best one is Oracle Java 8

···

Am 12.08.2016 um 15:27 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:

No luck.
I tried the search guard bundle, and then Oracle JDK w/ search guard bundle, and got the same results.

It makes me think there is some sort of network issue going on.
Is there a list of ports that need to be available? I had assumed just 9200 & 9300?
Is there a supported java version?

-Ben

-Ben

On Thu, Aug 11, 2016 at 12:32 PM, SG <info@search-guard.com> wrote:
does https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle work?

If not can you try using oracle jdk (instead of openjdk)?

> Am 11.08.2016 um 18:26 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:
>
> No, the kirk certificate provides the same results, as far as I can tell.
>
> -Ben
>
> On Thu, Aug 11, 2016 at 12:23 PM, SG <info@search-guard.com> wrote:
> with the kirk certificate - does this work?
>
> > Am 11.08.2016 um 17:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:
> >
> > I generated the certs with the example.sh script from search-guard-ssl.
> >
> > Should I be attempting to run the sgadmin.sh script with the 'kirk' certificate, or the node-0 certificate?
> > I've added both to elasticsearch.yml as valid admin dn's.
> >
> >
> > An example log is attached (using node-0 keystore)
> >
> > Thanks,
> > Ben
> >
> >
> > On Thu, Aug 11, 2016 at 11:34 AM, SG <info@search-guard.com> wrote:
> > maybe i found something, seems like the node ssl certificate does not have the right san.
> > How to you generated the certificates?
> >
> > pls. install: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6cf-SNAPSHOT/search-guard-2-2.3.4.6cf-20160811.153248-1.zip
> >
> > and look for debug output like:
> >
> > [2016-08-11 17:25:01,805][DEBUG][SearchGuardTransportService] Certs count: 4
> > [2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] 0. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
> > [2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] serial 1
> > [2016-08-11 17:25:01,806][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
> > [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
> > [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] ian null
> > [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
> > [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
> > [2016-08-11 17:25:01,807][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
> > [2016-08-11 17:25:01,808][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] 1. CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com X.509
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] serial 2
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ext null
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] ian null
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] san null
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
> > [2016-08-11 17:25:01,809][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> > [2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] 2. CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com X.509
> > [2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] serial 1
> > [2016-08-11 17:25:01,810][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15, 2.5.29.19]
> > [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ext null
> > [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] ian null
> > [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.35]
> > [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] san null
> > [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Root CA, OU=Example Com Inc. Root CA, O=Example Com Inc., DC=example, DC=com
> > [2016-08-11 17:25:01,811][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] 3. CN=node-0.example.com, OU=SSL, O=Test, L=Test, C=DE X.509
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] serial 1
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] crit oids [2.5.29.15]
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ext [1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] ian null
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] non crit oids [2.5.29.14, 2.5.29.17, 2.5.29.19, 2.5.29.35, 2.5.29.37]
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] san [[2, node-0.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] issuer CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
> > [2016-08-11 17:25:01,812][DEBUG][SearchGuardTransportService] sig alg SHA256withRSA
> >
> >
> >
> > > Am 11.08.2016 um 16:58 schrieb Benjamin Shoemaker <bshoemaker@setonhill.edu>:
> > >
> > > Unfortunately, no luck there. I'm getting 'Generic Error' timeouts, now.
> > >
> > > Thank you for the suggestion, though!
> > >
> > > -Ben
> > >
> > > [2016-08-11 14:56:59,954][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]
> > >
> > > [2016-08-11 14:56:59,955][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for internalusers
> > >
> > > [2016-08-11 14:56:59,955][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/
> > >
> > > [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context
> > >
> > > [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]
> > >
> > > [2016-08-11 14:56:59,956][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null
> > >
> > > [2016-08-11 14:57:00,870][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found
> > >
> > > [2016-08-11 14:57:00,872][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] Is not an inter cluster request
> > >
> > > [2016-08-11 14:57:02,681][ERROR][com.floragunn.searchguard.configuration.ConfigurationLoader] Generic error: ElasticsearchTimeoutException[Timeout waiting for task.]
> > >
> > > [2016-08-11 14:57:02,681][DEBUG][com.floragunn.searchguard.configuration.ConfigurationLoader] Looking for actiongroups
> > >
> > > [2016-08-11 14:57:02,682][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Action indices:data/read/get from null/
> > >
> > > [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Context
> > >
> > > [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] Header [_sg_conf_request]
> > >
> > > [2016-08-11 14:57:02,683][TRACE][com.floragunn.searchguard.filter.SearchGuardFilter] remote address: null
> > >
> > > [2016-08-11 14:57:05,874][TRACE][com.floragunn.searchguard.transport.SearchGuardTransportService] No issuer alternative names (san) found
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > On Thu, Aug 11, 2016 at 10:21 AM, <info@search-guard.com> wrote:
> > > can you try to install the following Search Guard Version: https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-2/2.3.4.6tm-SNAPSHOT/search-guard-2-2.3.4.6tm-20160811.140959-1.zip
> > >
> > > On Thursday, 11 August 2016 15:12:12 UTC+2, Benjamin Shoemaker wrote:
> > > Yep - files are attached.
> > >
> > > We're running:
> > > Distributor ID: Ubuntu
> > >
> > > Description: Ubuntu 16.04.1 LTS
> > >
> > > Release: 16.04
> > >
> > > Codename: xenial
> > >
> > >
> > > openjdk version "1.8.0_91"
> > >
> > > OpenJDK Runtime Environment (build 1.8.0_91-8u91-b14-3ubuntu1~16.04.1-b14)
> > >
> > > OpenJDK 64-Bit Server VM (build 25.91-b14, mixed mode)
> > >
> > >
> > >
> > >
> > >
> > > The SSL Truncation Errors in the log appear when I force-killed sgadmin, so I don't think those are necessarily a symptom.
> > >
> > >
> > >
> > > Its also worth noting that I've tried both the JDK and OpenSSL ssl implementations, and both appear to have the same result.
> > >
> > >
> > >
> > > Thanks!
> > > Ben
> > >
> > >
> > > On Wednesday, August 10, 2016 at 8:43:18 AM UTC-4, Benjamin Shoemaker wrote:
> > > All-
> > > We're attempting to implement SearchGuard.
> > > We seem to have the SearchGuard-SSL side working pretty well - if search guard isn't up, we can serve the REST API over HTTPS.
> > >
> > > However, as soon as SearchGuard is installed, the API starts complaining that 'Search Guard not initialized (SG11)' , and we start seeing '[2016-08-10 02:58:55,677][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized' in the logs.
> > >
> > > Other threads have suggested that this is resolved by running the sgadmin script, to initialize the base configuration.
> > >
> > > However, when we attempted to run the scripts, we're seeing the following:
> > >
> > >
> > >
> > > root@localhost:/usr/share/elasticsearch/plugins/search-guard-2/tools# sudo ./sgadmin.sh -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn SHU -ks /home/ubuntu/search-guard-ssl/example-pki-scripts/node-0-keystore.jks -kspass changeit -ts /etc/elasticsearch/truststore.jks -tspass changeit -nhnv
> > >
> > > Connect to localhost:9300
> > >
> > > Clustername: SHU
> > >
> > > Clusterstate: YELLOW
> > >
> > > Number of nodes: 1
> > >
> > > Number of data nodes: 1
> > >
> > > searchguard index does not exists, attempt to create it ... done
> > >
> > > Populate config from /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/
> > >
> > > Will update 'config' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_config.yml
> > >
> > > SUCC Configuration for 'config' created or updated
> > >
> > > Will update 'roles' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles.yml
> > >
> > > SUCC Configuration for 'roles' created or updated
> > >
> > > Will update 'rolesmapping' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_roles_mapping.yml
> > >
> > > SUCC Configuration for 'rolesmapping' created or updated
> > >
> > > Will update 'internalusers' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_internal_users.yml
> > >
> > > SUCC Configuration for 'internalusers' created or updated
> > >
> > > Will update 'actiongroups' with /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/sg_action_groups.yml
> > >
> > > SUCC Configuration for 'actiongroups' created or updated
> > >
> > > FAIL: Expected 5 config types for node 66wwVFDqRl-85qwtB3f33Q but got only
> > >
> > > Done with failures
> > >
> > >
> > > In the logs, all we're seeing is:
> > >
> > > [2016-08-10 12:34:23,473][TRACE][com.floragunn.searchguard.auth.BackendRegistry] Headers:
> > >
> > > Context:
> > >
> > > [cursor, index: 3, key: _sg_ssl_cipher, value: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]=null
> > >
> > > [cursor, index: 7, key: _sg_ssl_protocol, value: TLSv1.2]=null
> > >
> > >
> > >
> > > [2016-08-10 12:34:23,474][ERROR][com.floragunn.searchguard.auth.BackendRegistry] Not yet initialized
> > >
> > > [2016-08-10 12:41:23,609][ERROR][com.floragunn.searchguard.action.configupdate.TransportConfigUpdateAc
> > > tion] [Vader] Unable to load all configurations types. Loaded '' but should '[config, roles, rolesmapping, internalusers, actiongroups]'
> > >
> > >
> > >
> > > This seems to indicate it needs to be initialized to run the sgadmin script? A catch-22? I imagine I'm doing something incorrect - any thoughts?
> > >
> > >
> > > Thanks!
> > > Ben
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > > To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
> > > To post to this group, send email to search-guard@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d2024bfb-0579-4d54-9790-17d690710ec6%40googlegroups.com.
> > > For more options, visit https://groups.google.com/d/optout.
> > >
> > >
> > >
> > > --
> > > Ben Shoemaker
> > > Programmer/Analyst
> > > bshoemaker@setonhill.edu
> > >
> > > This document may contain confidential information and is intended solely
> > > for the use of the addressee. If you received it in error, please contact
> > > the sender at once and destroy the document. The document may contain
> > > information subject to restrictions of the Family Educational Rights and
> > > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > > disclosed or used in any fashion outside the scope of the service for which
> > > you are receiving the information.
> > >
> > > --
> > > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> > > To post to this group, send email to search-guard@googlegroups.com.
> > > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_SkderQ75F%3DhTtHvPP11vrO8GSO0-hpXZ8vZgREfzA7A%40mail.gmail.com.
> > > For more options, visit https://groups.google.com/d/optout.
> >
> > --
> > You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> > To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
> > To post to this group, send email to search-guard@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/E5D45F43-6041-4640-976E-0FAB2EF5EE13%40search-guard.com.
> > For more options, visit https://groups.google.com/d/optout.
> >
> >
> >
> > --
> > Ben Shoemaker
> > Programmer/Analyst
> > bshoemaker@setonhill.edu
> >
> > This document may contain confidential information and is intended solely
> > for the use of the addressee. If you received it in error, please contact
> > the sender at once and destroy the document. The document may contain
> > information subject to restrictions of the Family Educational Rights and
> > Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> > disclosed or used in any fashion outside the scope of the service for which
> > you are receiving the information.
> >
> > --
> > You received this message because you are subscribed to the Google Groups "Search Guard" group.
> > To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> > To post to this group, send email to search-guard@googlegroups.com.
> > To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J8t7SdE2TgUtgCsENewQkMyfr-OAXDkdvYstyXhuVZfgw%40mail.gmail.com.
> > For more options, visit https://groups.google.com/d/optout.
> > <SHU3.log>
>
> --
> You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8681BB90-7456-4234-8884-6528D2028B3B%40search-guard.com.
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Ben Shoemaker
> Programmer/Analyst
> bshoemaker@setonhill.edu
>
> This document may contain confidential information and is intended solely
> for the use of the addressee. If you received it in error, please contact
> the sender at once and destroy the document. The document may contain
> information subject to restrictions of the Family Educational Rights and
> Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
> disclosed or used in any fashion outside the scope of the service for which
> you are receiving the information.
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
> To post to this group, send email to search-guard@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J9eDSPckjpnCz1K1i2fQGCZiVzTgFEUVpsEumivncOy_Q%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/629B1A96-6E47-4393-9641-E70A884A10BC%40search-guard.com.
For more options, visit https://groups.google.com/d/optout.

--
Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

--
You received this message because you are subscribed to the Google Groups "Search Guard" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAD7M0J_kbgucDk%3DuXk1M4PAZ0K4QwqEXpKas6V83zDD9KZMdBg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

trying to install searchgaurd bundle - https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

anyone managed to fix this ?

Getting the error - [2016-08-15 07:35:58,101][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (2 object) due to timeout

No, Having exactly the same behavior.

I’m putting my updates in https://github.com/floragunncom/search-guard/issues/142#issuecomment-236005509

···

Op maandag 15 augustus 2016 09:39:27 UTC+2 schreef Girish Patil:

trying to install searchgaurd bundle - https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

anyone managed to fix this ?

Getting the error - [2016-08-15 07:35:58,101][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (2 object) due to timeout

Interestingly, I was able to solve my issue - no idea at root cause, though.

Initially, I was building a box on Amazon, and experiencing the timeouts, even though I certainly had security rules allowing 9200 & 9300.

As a last-ditch attempt, I built a box on our on-prem hosting with the same OS version, and everything worked flawlessly the first time through.

I imagine it was some sort of network-related glitch that I was missing, but I don’t know precisely what - I checked everything I could think of.

-Ben

···

On Mon, Aug 15, 2016 at 3:42 AM, John Bakker johnbakker@gmail.com wrote:

No, Having exactly the same behavior.

I’m putting my updates in https://github.com/floragunncom/search-guard/issues/142#issuecomment-236005509

Op maandag 15 augustus 2016 09:39:27 UTC+2 schreef Girish Patil:

trying to install searchgaurd bundle - https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

anyone managed to fix this ?

Getting the error - [2016-08-15 07:35:58,101][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (2 object) due to timeout

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a4dc2462-7032-4942-81e9-c70f12e0f32c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Ben Shoemaker
Programmer/Analyst
bshoemaker@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

Ben, do you have the ‘cloud-aws’ ES plugin installed ?
My understanding is this is a requirement for 9300 discovery to work within AWS.

https://www.elastic.co/guide/en/elasticsearch/plugins/current/cloud-aws.html

With it installed auto-discovery works fine for me with 3+ EC2 instances/nodes.

thanks,

brian

···

On Monday, August 15, 2016 at 5:55:48 AM UTC-6, Benjamin Shoemaker wrote:

Interestingly, I was able to solve my issue - no idea at root cause, though.

Initially, I was building a box on Amazon, and experiencing the timeouts, even though I certainly had security rules allowing 9200 & 9300.

As a last-ditch attempt, I built a box on our on-prem hosting with the same OS version, and everything worked flawlessly the first time through.

I imagine it was some sort of network-related glitch that I was missing, but I don’t know precisely what - I checked everything I could think of.

-Ben

On Mon, Aug 15, 2016 at 3:42 AM, John Bakker johnb...@gmail.com wrote:

No, Having exactly the same behavior.

I’m putting my updates in https://github.com/floragunncom/search-guard/issues/142#issuecomment-236005509

Op maandag 15 augustus 2016 09:39:27 UTC+2 schreef Girish Patil:

trying to install searchgaurd bundle - https://github.com/floragunncom/search-guard/wiki/Search-Guard-Bundle

anyone managed to fix this ?

Getting the error - [2016-08-15 07:35:58,101][WARN ][com.floragunn.searchguard.configuration.ConfigurationLoader] Cannot retrieve configuration (2 object) due to timeout

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/1SVq0DCUk50/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/a4dc2462-7032-4942-81e9-c70f12e0f32c%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Ben Shoemaker
Programmer/Analyst
bshoe…@setonhill.edu

This document may contain confidential information and is intended solely
for the use of the addressee. If you received it in error, please contact
the sender at once and destroy the document. The document may contain
information subject to restrictions of the Family Educational Rights and
Privacy and the Gramm-Leach-Bliley Acts. Such information may not be
disclosed or used in any fashion outside the scope of the service for which
you are receiving the information.

I installed the “cloud-aws” plugin but still have the same issue on aws. I can run the searhgaurd bundle in local environment but not on cloud

It works in AWS for sure… maybe confirm your security groups allow ES default ports 9200 (data) and 9300 (discovery)… and that
you can reach them from each other. I ran sgadmin locally and it updated that node and there was a little propagation delay to the other nodes.

Basically I got one node working in ES with sgadmin and then a bit later the other nodes were happy as well once the index propagated.

Overall, I got ES setup and working before installing SG SSL.

Once SG SSL was working and TLS enabled between ES nodes I installed SG and ran sgadmin.

One problem I saw is that sgadmin didn’t run correctly the first time.

I had to restart ES and re-run sgadmin… and it stopped logging that ‘environment not found message’.

So my advice… keep bouncing es and reload the SG plugin a few times.

Once the SG index that sgadmin creates is in ES and available on all nodes everything seems to behave perfectly on startup/shutdown.

···

On Monday, August 15, 2016 at 6:53:39 PM UTC-6, Girish Patil wrote:

I installed the “cloud-aws” plugin but still have the same issue on aws. I can run the searhgaurd bundle in local environment but not on cloud