sg_config.yml (11.2 KB) elasticsearch.yml (4.7 KB)

Hello.
implementation ‘com.floragunn:search-guard-ssl:6.5.3-25.6’
elascticsearch version 6.5.3
searchGuard version 6

i created certificates on this manual Offline TLS Tool | Security for Elasticsearch | Search Guard

after it a have this keys

kirk.key
kirk.pem
node1.key
node1.pem
root-ca.key
root-ca.pem

acces to elascticsearch work fine https://localhost:9200/_searchguard/authinfo

with curl i can get aceess only with this param

curl --cacert root-ca.pem -u admin:admin -XGET “https://localhost:9200/_mapping”

with certificate node1.pem a have error:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

1. why?

then look on this manual : Security for Elasticsearch | Using Transport Clients | Search Guard

with keystore and truestore i cath error: “ElasticsearchSecurityException No certificates found in keystore with alias server-crt”
then i set params without keystore lije this:

@Bean
public Client client() throws UnknownHostException {
Settings settings = Settings.builder()
.put(“cluster.name”, clusterName)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMKEY_FILEPATH, CONST + “node1.key”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMCERT_FILEPATH, CONST + “node1.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_PEMTRUSTEDCAS_FILEPATH, CONST + “root-ca.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION, false)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENABLE_OPENSSL_IF_AVAILABLE, false)
.put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_ENFORCE_HOSTNAME_VERIFICATION_RESOLVE_HOST_NAME, false)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_ENABLED, true)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMCERT_FILEPATH, CONST + “node1.pem”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMKEY_FILEPATH, CONST + “node1.key”)
.put(SSLConfigConstants.SEARCHGUARD_SSL_HTTP_PEMTRUSTEDCAS_FILEPATH, CONST + “root-ca.pem”)
.build();
TransportClient client = new PreBuiltTransportClient(settings, SearchGuardSSLPlugin.class);
client.addTransportAddress(new TransportAddress(InetAddress.getByName(esHost), esPort));
return client;
}

elasticsearch.log
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 455300000027000000000000000d08004d3603000016696e7465726e616c3a7463702f68616e647368616b6500

application.log
2019-10-23 12:14:14.244 ERROR 10877 — [ main] .d.e.r.s.AbstractElasticsearchRepository : failed to load elasticsearch nodes : org.elasticsearch.client.transport.NoNodeAvailableException: None of the configured nodes are available: [{#transport#-1}{8T3BU7CHQKyWYuwR98fJfA}{127.0.0.1}{127.0.0.1:9300}]

Now I do not know what to do.

For your problems with curl please have a look here first:

What is your output of curl -V ?

Using a Transportclient requires you to add the SearchGuardPlugin.class (not SearchGuardSSLPlugin.class) like described here: Transport Clients | Security for Elasticsearch | Search Guard

You can also have a look into the unit tests: src/test/java/com/floragunn/searchguard/TransportClientIntegrationTests.java · 6.5.x · search-guard / legacy / Search Guard · GitLab

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.