no nodes available error when running sgadmin

Hi,

I’m trying to configure search-guard for a single node cluster.

  • Elasticsearch and search-guard V6.12
  • JVM version 8
  • No plugins installed other than search-guard for ES
  • Default sg_config.yml

I’m using the offline TLS tool for generating the certificates. Here is the configuration for tlsconfig.yml:


<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

----------------------------------------------------------------------------------------------------------------

   ### Self-generated certificate authority
### # # If you want to create a new certificate authority, you must specify its parameters here. # You can skip this section if you only want to create CSRs
#
ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=[root.ca.example.com](http://root.ca.example.com),OU=CA,      O=Example Com\, Inc.,DC=example,DC=com
dn: CN=[root.ca.elementdata.com](http://root.ca.elementdata.com),OU=
      CA,O=ElementData\, Inc.,DC=elementdata,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values: # - auto: automatically generated password, returned in config output; # - none: unencrypted private key; # - other values: other values are used directly as password #pkPassword: admin
# The name of the generated files can be changed here
file: root-ca.pem
# If you have a certificate revocation list, you can specify its distribution points here
# crlDistributionPoints: URI:[https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl](https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl)

   # If you want to use an intermediate certificate as signing certificate,
# please specify its parameters here. This is optional. If you remove this section,
# the root certificate will be used for signing. #intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=[root.ca.example.com](http://root.ca.example.com),OU=CA,      O=Example Com\, Inc.,DC=example,DC=com
#dn: ...
# The size of the generated key in bits
#keysize: 2048
# The validity of the generated certificate in days from now
#validityDays: 3650
# Password for private key #pkPassword: auto # The name of the generated files can be changed here
#file: signing-ca.pem
# If you have a certificate revocation list, you can specify its distribution points here
# crlDistributionPoints: URI:[https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl](https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl)

### ### Default values and global settings
###
defaults:
# The validity of the generated certificate in days from now
validityDays: 3650 # Password for private key
# Possible values: # - auto: automatically generated password, returned in config output; # - none: unencrypted private key; # - other values: other values are used directly as password #pkPassword: admin # Specifies to recognize legitimate nodes by the distinguished names
# of the certificates. This can be a list of DNs, which can contain wildcards.
# Furthermore, it is possible to specify regular expressions by
# enclosing the DN in //. # Specification of this is optional. The tool will always include
# the DNs of the nodes specified in the nodes section.
# # Examples: # - "CN=*.[example.com](http://example.com),OU=Ops,O=      Example Com\\, Inc.,DC=example,DC=com"
# - 'CN=[node.other.com](http://node.other.com),OU=SSL,O=      Test,L=Test,C=DE'
# - 'CN=*.[example.com](http://example.com),OU=SSL,O=      Test,L=Test,C=DE'
# - 'CN=elk-devcluster*'
# - '/CN=.*regex/' # nodesDn:
# If you want to use OIDs to mark legitimate node certificates, # the OID can be included in the certificates by specifying the following
# attribute
# nodeOid: "1.2.3.4.5.5"
# The length of auto generated passwords
generatedPasswordLength: 12
# Set this to true in order to generate config and certificates for # the HTTP interface of nodes
httpsEnabled: true
# Set this to true in order to re-use the node transport certificates
# for the HTTP interfaces. Only recognized if httpsEnabled is true
# reuseTransportCertificatesForH
      ttp: false
# Set this to true to enable hostname verification
#verifyHostnames: false
# Set this to true to resolve hostnames
#resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
# The node name is just used as name of the generated files
- name: node0 # The distinguished name of this node
dn: CN=[node0.elementdata.com](http://node0.elementdata.com),OU=
    Ops,O=ElementData\, Inc.,DC=elementdata,DC=com
# DNS names of this node. Several names can be specified as list
dns: - [ec2-34-214-158-242.us-west-2.compute.amazonaws.com](http://ec2-34-214-158-242.us-west-2.compute.amazonaws.com)
    # - [node1.exampleinc.com](http://node1.exampleinc.com)

    # The IP addresses of this node. Several addresses can be specified as list
ip: 0.0.0.0
# If you want to override the keysize, pkPassword or validityDays values from
# the defaults, just specify them here.
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true # clients:
# The client name is just used as name of the generated files
- name: admin
# The distinguished name of the client
dn: CN=[admin.elementdata.com](http://admin.elementdata.com),OU=
    Ops,O=ElementData\, Inc.,DC=elementdata,DC=com
# To mark the client as super-user
admin: true
# If you want to override the keysize, pkPassword or validityDays values from
# the defaults, just specify them here.
------------------------------------------------------------------------------------------ ----------------------

**After generating the certificates, and running sgadmin I get the following error:**


WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{sS3riekKSKifWph6zC_wBQ}{localhost}{127.0.0.1:9300}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{sS3riekKSKifWph6zC_wBQ}{ localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService. java:347)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService. java:245)
at org.elasticsearch.client.transport.TransportProxyClient.execute( TransportProxyClient.java:60)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient. java:371)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java: 405)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java: 394)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0( SearchGuardAdmin.java:444)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

----------------------------------------------------------------------------------------------------------------


Using Elasticsearch's nodes API in the cluster, I get this reponse from the following request

curl -XGET ‘localhost:9200/_nodes/nodeId1,nodeId2?pretty’

{
“_nodes” : {
“total” : 0,
“successful” : 0,
“failed” : 0
},
“cluster_name” : “elasticsearch”,
“nodes” : { }
}

Any ideas?

Thanks!

Can you please post the exact sgadmin call with all parameters and switches that you use?

Just a guess, could be a wrong or missing cluster name. Either provide the cluster name with the -cn switch, or tell sgadmin to ignore cluster names with the -icl switch.

···

On Friday, March 23, 2018 at 12:15:13 AM UTC+1, robert@elementdata.com wrote:

Hi,

I’m trying to configure search-guard for a single node cluster.

  • Elasticsearch and search-guard V6.12
  • JVM version 8
  • No plugins installed other than search-guard for ES
  • Default sg_config.yml

I’m using the offline TLS tool for generating the certificates. Here is the configuration for tlsconfig.yml:

----------------------------------------------------------------------------------------------------------------

   ### Self-generated certificate authority
### # # If you want to create a new certificate authority, you must specify its parameters here. # You can skip this section if you only want to create CSRs
#
ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=[root.ca.example.com](http://root.ca.example.com),OU=CA,      O=Example Com\, Inc.,DC=example,DC=com
dn: CN=[root.ca.elementdata.com](http://root.ca.elementdata.com),OU=
      CA,O=ElementData\, Inc.,DC=elementdata,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values: # - auto: automatically generated password, returned in config output; # - none: unencrypted private key; # - other values: other values are used directly as password #pkPassword: admin
# The name of the generated files can be changed here
file: root-ca.pem
# If you have a certificate revocation list, you can specify its distribution points here
# crlDistributionPoints: URI:[https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl](https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl)

   # If you want to use an intermediate certificate as signing certificate,
# please specify its parameters here. This is optional. If you remove this section,
# the root certificate will be used for signing. #intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=[root.ca.example.com](http://root.ca.example.com),OU=CA,      O=Example Com\, Inc.,DC=example,DC=com
#dn: ...
# The size of the generated key in bits
#keysize: 2048
# The validity of the generated certificate in days from now
#validityDays: 3650
# Password for private key #pkPassword: auto # The name of the generated files can be changed here
#file: signing-ca.pem
# If you have a certificate revocation list, you can specify its distribution points here
# crlDistributionPoints: URI:[https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl](https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl)

### ### Default values and global settings
###
defaults:
# The validity of the generated certificate in days from now
validityDays: 3650 # Password for private key
# Possible values: # - auto: automatically generated password, returned in config output; # - none: unencrypted private key; # - other values: other values are used directly as password #pkPassword: admin # Specifies to recognize legitimate nodes by the distinguished names
# of the certificates. This can be a list of DNs, which can contain wildcards.
# Furthermore, it is possible to specify regular expressions by
# enclosing the DN in //. # Specification of this is optional. The tool will always include
# the DNs of the nodes specified in the nodes section.
# # Examples: # - "CN=*.[example.com](http://example.com),OU=Ops,O=      Example Com\\, Inc.,DC=example,DC=com"
# - 'CN=[node.other.com](http://node.other.com),OU=SSL,O=      Test,L=Test,C=DE'
# - 'CN=*.[example.com](http://example.com),OU=SSL,O=      Test,L=Test,C=DE'
# - 'CN=elk-devcluster*'
# - '/CN=.*regex/' # nodesDn:
# If you want to use OIDs to mark legitimate node certificates, # the OID can be included in the certificates by specifying the following
# attribute
# nodeOid: "1.2.3.4.5.5"
# The length of auto generated passwords
generatedPasswordLength: 12
# Set this to true in order to generate config and certificates for # the HTTP interface of nodes
httpsEnabled: true
# Set this to true in order to re-use the node transport certificates
# for the HTTP interfaces. Only recognized if httpsEnabled is true
# reuseTransportCertificatesForH
      ttp: false
# Set this to true to enable hostname verification
#verifyHostnames: false
# Set this to true to resolve hostnames
#resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
# The node name is just used as name of the generated files
- name: node0 # The distinguished name of this node
dn: CN=[node0.elementdata.com](http://node0.elementdata.com),OU=
    Ops,O=ElementData\, Inc.,DC=elementdata,DC=com
# DNS names of this node. Several names can be specified as list
dns: - [ec2-34-214-158-242.us-west-2.compute.amazonaws.com](http://ec2-34-214-158-242.us-west-2.compute.amazonaws.com)
    # - [node1.exampleinc.com](http://node1.exampleinc.com)

    # The IP addresses of this node. Several addresses can be specified as list
ip: 0.0.0.0
# If you want to override the keysize, pkPassword or validityDays values from
# the defaults, just specify them here.
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true # clients:
# The client name is just used as name of the generated files
- name: admin
# The distinguished name of the client
dn: CN=[admin.elementdata.com](http://admin.elementdata.com),OU=
    Ops,O=ElementData\, Inc.,DC=elementdata,DC=com
# To mark the client as super-user
admin: true
# If you want to override the keysize, pkPassword or validityDays values from
# the defaults, just specify them here.
------------------------------------------------------------------------------------------ ----------------------

**After generating the certificates, and running sgadmin I get the following error:**



WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{sS3riekKSKifWph6zC_wBQ}{localhost}{127.0.0.1:9300}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{sS3riekKSKifWph6zC_wBQ}{ localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService. java:347)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService. java:245)
at org.elasticsearch.client.transport.TransportProxyClient.execute( TransportProxyClient.java:60)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient. java:371)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java: 405)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java: 394)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0( SearchGuardAdmin.java:444)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

----------------------------------------------------------------------------------------------------------------



Using Elasticsearch's nodes API in the cluster, I get this reponse from the following request

curl -XGET ‘localhost:9200/_nodes/nodeId1,nodeId2?pretty’

{
“_nodes” : {
“total” : 0,
“successful” : 0,
“failed” : 0
},
“cluster_name” : “elasticsearch”,
“nodes” : { }
}

Any ideas?

Thanks!