No certificate path could be found: No issuer certificate for certificate in certification path foun

Hi,

I’m using TLS offline tool to generate certificates. After I generated it, I found this error when I validated it.

tools/sgtlsdiag.sh -ca …/files/searchguard/tls/root-ca.pem -crt …/files/searchguard/tls/10.49.116.129.pem

WARNING: JAVA_HOME not set, will use /usr/bin/java

···

========================================================================

…/files/searchguard/tls/10.49.116.129.pem


Certificate 1


        SHA1 FPR: e2dcccb4117928ce56f6af6614f194d7e36ba09b

         MD5 FPR: 13f77accfbfcd7f66d0a82bb56ea3560

Subject DN [RFC2253]: CN=10.49.116.129,OU=Technology Development,O=Refinitiv Company, Inc.,DC=Service Excellence,DC=Service Tools,C=US

   Serial Number: 1552408688812

Issuer DN [RFC2253]: CN=Signing Compass Monitoring Events,OU=Technology Development,O=Refinitiv Company, Inc.,DC=Service Excellence,DC=Service Tools,C=US

      Not Before: Tue Mar 12 23:38:10 ICT 2019

       Not After: Thu Mar 11 23:38:10 ICT 2021

       Key Usage: digitalSignature nonRepudiation keyEncipherment

Signature Algorithm: SHA256WITHRSA

         Version: 3

Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

Basic Constraints: -1

            SAN:

              iPAddress: 10.49.116.129

Certificate 2


        SHA1 FPR: c861bdd81d59e02751f77bf1edfe0bbf72d226f7

         MD5 FPR: 86ea5be9723c8ffe00d560eac7d66bcb

Subject DN [RFC2253]: CN=Signing Compass Monitoring Events,OU=Technology Development,O=Refinitiv Company, Inc.,DC=Service Excellence,DC=Service Tools,C=US

   Serial Number: 2

Issuer DN [RFC2253]: CN=Compass Monitoring Events,OU=Technology Development,O=Refinitiv Company, Inc.,DC=Service Excellence,DC=Service Tools,C=US

      Not Before: Tue Mar 12 23:38:10 ICT 2019

       Not After: Thu Mar 11 23:38:10 ICT 2021

       Key Usage: digitalSignature keyCertSign cRLSign

Signature Algorithm: SHA256WITHRSA

         Version: 3

Extended Key Usage: null

Basic Constraints: 0

            SAN: (none)

No certificate path could be found: No issuer certificate for certificate in certification path found.

``

What is the error message about? Can I still use the certificate?

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

24.1 and 6.6.0

  • Installed and used enterprise modules, if any

No

  • JVM version and operating system version

1.8

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Pls post the TLS tool config and the command line you executed to create the certificates.
Pls post also the TLS tool version which you have used.

···

Am 12.03.2019 um 18:02 schrieb Worapoj Chokeanankun <worapojc@gmail.com>:

Hi,

I'm using TLS offline tool to generate certificates. After I generated it, I found this error when I validated it.

tools/sgtlsdiag.sh -ca ../files/searchguard/tls/root-ca.pem -crt ../files/searchguard/tls/10.49.116.129.pem

WARNING: JAVA_HOME not set, will use /usr/bin/java

========================================================================

../files/searchguard/tls/10.49.116.129.pem

------------------------------------------------------------------------

Certificate 1

------------------------------------------------------------------------

            SHA1 FPR: e2dcccb4117928ce56f6af6614f194d7e36ba09b

             MD5 FPR: 13f77accfbfcd7f66d0a82bb56ea3560

Subject DN [RFC2253]: CN=10.49.116.129,OU=Technology Development,O=Refinitiv Company\, Inc.,DC=Service Excellence,DC=Service Tools,C=US

       Serial Number: 1552408688812

Issuer DN [RFC2253]: CN=Signing Compass Monitoring Events,OU=Technology Development,O=Refinitiv Company\, Inc.,DC=Service Excellence,DC=Service Tools,C=US

          Not Before: Tue Mar 12 23:38:10 ICT 2019

           Not After: Thu Mar 11 23:38:10 ICT 2021

           Key Usage: digitalSignature nonRepudiation keyEncipherment

Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: id_kp_serverAuth id_kp_clientAuth

  Basic Constraints: -1

                SAN:

                  iPAddress: 10.49.116.129

------------------------------------------------------------------------

Certificate 2

------------------------------------------------------------------------

            SHA1 FPR: c861bdd81d59e02751f77bf1edfe0bbf72d226f7

             MD5 FPR: 86ea5be9723c8ffe00d560eac7d66bcb

Subject DN [RFC2253]: CN=Signing Compass Monitoring Events,OU=Technology Development,O=Refinitiv Company\, Inc.,DC=Service Excellence,DC=Service Tools,C=US

       Serial Number: 2

Issuer DN [RFC2253]: CN=Compass Monitoring Events,OU=Technology Development,O=Refinitiv Company\, Inc.,DC=Service Excellence,DC=Service Tools,C=US

          Not Before: Tue Mar 12 23:38:10 ICT 2019

           Not After: Thu Mar 11 23:38:10 ICT 2021

           Key Usage: digitalSignature keyCertSign cRLSign

Signature Algorithm: SHA256WITHRSA

             Version: 3

  Extended Key Usage: null

  Basic Constraints: 0

                SAN: (none)

------------------------------------------------------------------------

No certificate path could be found: No issuer certificate for certificate in certification path found.

What is the error message about? Can I still use the certificate?

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version
24.1 and 6.6.0
* Installed and used enterprise modules, if any
No
* JVM version and operating system version
1.8
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/cd672b9f-acc0-47c4-9195-a529516a8e91%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.