Hi,
I’m trying to configure search-guard for a single node cluster.
- Elasticsearch and search-guard V6.12
- JVM version 8
- No plugins installed other than search-guard for ES
- Default sg_config.yml
I’m using the offline TLS tool for generating the certificates. Here is the configuration for tlsconfig.yml:
<details class='elided'>
<summary title='Show trimmed content'>···</summary>
----------------------------------------------------------------------------------------------------------------
### Self-generated certificate authority
### # # If you want to create a new certificate authority, you must specify its parameters here. # You can skip this section if you only want to create CSRs
#
ca:
root:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=[root.ca.example.com](http://root.ca.example.com),OU=CA, O=Example Com\, Inc.,DC=example,DC=com
dn: CN=[root.ca.elementdata.com](http://root.ca.elementdata.com),OU=
CA,O=ElementData\, Inc.,DC=elementdata,DC=com
# The size of the generated key in bits
keysize: 2048
# The validity of the generated certificate in days from now
validityDays: 3650
# Password for private key
# Possible values: # - auto: automatically generated password, returned in config output; # - none: unencrypted private key; # - other values: other values are used directly as password #pkPassword: admin
# The name of the generated files can be changed here
file: root-ca.pem
# If you have a certificate revocation list, you can specify its distribution points here
# crlDistributionPoints: URI:[https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl](https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl)
# If you want to use an intermediate certificate as signing certificate,
# please specify its parameters here. This is optional. If you remove this section,
# the root certificate will be used for signing. #intermediate:
# The distinguished name of this CA. You must specify a distinguished name.
# example: dn: CN=[root.ca.example.com](http://root.ca.example.com),OU=CA, O=Example Com\, Inc.,DC=example,DC=com
#dn: ...
# The size of the generated key in bits
#keysize: 2048
# The validity of the generated certificate in days from now
#validityDays: 3650
# Password for private key #pkPassword: auto # The name of the generated files can be changed here
#file: signing-ca.pem
# If you have a certificate revocation list, you can specify its distribution points here
# crlDistributionPoints: URI:[https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl](https://raw.githubusercontent.com/floragunncom/unittest-assets/master/revoked.crl)
### ### Default values and global settings
###
defaults:
# The validity of the generated certificate in days from now
validityDays: 3650 # Password for private key
# Possible values: # - auto: automatically generated password, returned in config output; # - none: unencrypted private key; # - other values: other values are used directly as password #pkPassword: admin # Specifies to recognize legitimate nodes by the distinguished names
# of the certificates. This can be a list of DNs, which can contain wildcards.
# Furthermore, it is possible to specify regular expressions by
# enclosing the DN in //. # Specification of this is optional. The tool will always include
# the DNs of the nodes specified in the nodes section.
# # Examples: # - "CN=*.[example.com](http://example.com),OU=Ops,O= Example Com\\, Inc.,DC=example,DC=com"
# - 'CN=[node.other.com](http://node.other.com),OU=SSL,O= Test,L=Test,C=DE'
# - 'CN=*.[example.com](http://example.com),OU=SSL,O= Test,L=Test,C=DE'
# - 'CN=elk-devcluster*'
# - '/CN=.*regex/' # nodesDn:
# If you want to use OIDs to mark legitimate node certificates, # the OID can be included in the certificates by specifying the following
# attribute
# nodeOid: "1.2.3.4.5.5"
# The length of auto generated passwords
generatedPasswordLength: 12
# Set this to true in order to generate config and certificates for # the HTTP interface of nodes
httpsEnabled: true
# Set this to true in order to re-use the node transport certificates
# for the HTTP interfaces. Only recognized if httpsEnabled is true
# reuseTransportCertificatesForH
ttp: false
# Set this to true to enable hostname verification
#verifyHostnames: false
# Set this to true to resolve hostnames
#resolveHostnames: false
###
### Nodes
###
#
# Specify the nodes of your ES cluster here
#
nodes:
# The node name is just used as name of the generated files
- name: node0 # The distinguished name of this node
dn: CN=[node0.elementdata.com](http://node0.elementdata.com),OU=
Ops,O=ElementData\, Inc.,DC=elementdata,DC=com
# DNS names of this node. Several names can be specified as list
dns: - [ec2-34-214-158-242.us-west-2.compute.amazonaws.com](http://ec2-34-214-158-242.us-west-2.compute.amazonaws.com)
# - [node1.exampleinc.com](http://node1.exampleinc.com)
# The IP addresses of this node. Several addresses can be specified as list
ip: 0.0.0.0
# If you want to override the keysize, pkPassword or validityDays values from
# the defaults, just specify them here.
###
### Clients
###
#
# Specify the clients that shall access your ES cluster with certificate authentication here
#
# At least one client must be an admin user (i.e., a super-user). Admin users can
# be specified with the attribute admin: true # clients:
# The client name is just used as name of the generated files
- name: admin
# The distinguished name of the client
dn: CN=[admin.elementdata.com](http://admin.elementdata.com),OU=
Ops,O=ElementData\, Inc.,DC=elementdata,DC=com
# To mark the client as super-user
admin: true
# If you want to override the keysize, pkPassword or validityDays values from
# the defaults, just specify them here.
------------------------------------------------------------------------------------------ ----------------------
**After generating the certificates, and running sgadmin I get the following error:**
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v6
Will connect to localhost:9300 … done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{sS3riekKSKifWph6zC_wBQ}{localhost}{127.0.0.1:9300}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{sS3riekKSKifWph6zC_wBQ}{ localhost}{127.0.0.1:9300}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService. java:347)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService. java:245)
at org.elasticsearch.client.transport.TransportProxyClient.execute( TransportProxyClient.java:60)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient. java:371)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java: 405)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java: 394)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0( SearchGuardAdmin.java:444)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
----------------------------------------------------------------------------------------------------------------
Using Elasticsearch's nodes API in the cluster, I get this reponse from the following request
curl -XGET ‘localhost:9200/_nodes/nodeId1,nodeId2?pretty’
{
“_nodes” : {
“total” : 0,
“successful” : 0,
“failed” : 0
},
“cluster_name” : “elasticsearch”,
“nodes” : { }
}
Any ideas?
Thanks!