Hello,
I’m trying to get a fresh install of ES 6.2 / search-guard-ssl up and running. My primary interest is securing the REST endpoints with TLS. I’ve generated my SSL setup with search-guard-tls-tool with the following config:
ca:
root:
dn: CN=root.ca.example.com,OU=CA,O=example Com, Inc.,DC=example,DC=com
keysize: 2048
validityDays: 3650
pkPassword: auto
file: root-ca.pem
intermediate:
dn: CN=signing.ca.example.com,OU=CA,O=example Com, Inc.,DC=example,DC=com
keysize: 2048
validityDays: 3650
pkPassword: auto
defaults:
validityDays: 3650
pkPassword: auto
generatedPasswordLength: 12
httpsEnabled: true
reuseTransportCertificatesForHttp: true
verifyHostnames: false
resolveHostnames: false
nodes:
- name: node1
dn: CN=node1.example.com,OU=Ops,O=example Com, Inc.,DC=example,DC=com
dns: node1.example.com
``
This generated a config as follows:
searchguard.ssl.transport.pemcert_filepath: node1.pem
searchguard.ssl.transport.pemkey_filepath: node1.key
searchguard.ssl.transport.pemkey_password: XXX
searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: node1.pem
searchguard.ssl.http.pemkey_filepath: node1.key
searchguard.ssl.http.pemkey_password: XXX
searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
searchguard.ssl.http.clientauth_mode: NONE
``
I added the “searchguard.ssl.http.clientauth_mode: NONE”
ES starts up without any issue. when trying to access:
curl -k https://localhost:9300/
``
I get the client side error:
curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
``
And the ES log shows:
[2018-03-16T12:58:11,916][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [node1] SSL Problem null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
``
What am I doing wrong?
Thanks,
Mike