Optional: Client authentication Failed

I read the document: https://github.com/floragunncom/search-guard-ssl-docs/blob/master/quickstart.md, and I set up a test environment on my own mac, but try "Optional: Client authentication” failed, I need your help.

ES Error log:

[2016-07-07 14:20:48,524][ERROR][com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport] [node-0] SSL Problem null cert chain

javax.net.ssl.SSLHandshakeException: null cert chain

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)

at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)

at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)

at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)

at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)

at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)

at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)

at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)

at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)

at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)

at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)

at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)

at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)

at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)

at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)

at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLHandshakeException: null cert chain

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)

at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1804)

at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:222)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)

at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)

at java.security.AccessController.doPrivileged(Native Method)

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)

at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)

at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)

... 18 more

[2016-07-07 14:21:35,281][ERROR][com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport]

My OSX Chrome:

ERR_BAD_SSL_CLIENT_AUTH_CERT

I try import kirk-signed.pem and kirk.crt.pem into my chrome, but all failed.(kirk-keystore.jks、kirk-keystore.p12、kirk-signed.pem、kirk.crt.pem、kirk.csr、kirk.key.pem)

ES: elasticsearch-2.3.3

Search Guard SSL: search-guard-ssl-2.3.3.13

elasticsearch.yml

node.name: node-0

network.host: 127.0.0.1

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: changeit

searchguard.ssl.http.clientauth_mode: REQUIRE

Please help me, Thanks.

Were you able to solve this issue? I’m having the same problem.

···

On Thursday, July 7, 2016 at 5:06:05 AM UTC-3, miao.w...@gmail.com wrote:

I read the document: https://github.com/floragunncom/search-guard-ssl-docs/blob/master/quickstart.md, and I set up a test environment on my own mac, but try "Optional: Client authentication” failed, I need your help.

ES Error log:

[2016-07-07 14:20:48,524][ERROR][com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport] [node-0] SSL Problem null cert chain

javax.net.ssl.SSLHandshakeException: null cert chain

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLHandshakeException: null cert chain

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1804)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:222)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392)
at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255)
... 18 more

[2016-07-07 14:21:35,281][ERROR][com.floragunn.searchguard.ssl.http.netty.SearchGuardSSLNettyHttpServerTransport]

My OSX Chrome:

ERR_BAD_SSL_CLIENT_AUTH_CERT

I try import kirk-signed.pem and kirk.crt.pem into my chrome, but all failed.(kirk-keystore.jks、kirk-keystore.p12、kirk-signed.pem、kirk.crt.pem、kirk.csr、kirk.key.pem)

ES: elasticsearch-2.3.3

Search Guard SSL: search-guard-ssl-2.3.3.13

elasticsearch.yml

node.name: node-0

network.host: 127.0.0.1

searchguard.ssl.transport.enabled: true

searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks

searchguard.ssl.transport.keystore_password: changeit

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: changeit

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.keystore_filepath: node-0-keystore.jks

searchguard.ssl.http.keystore_password: changeit

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: changeit

searchguard.ssl.http.clientauth_mode: REQUIRE

Please help me, Thanks.

Same here. I tried doing curl commands using all the generated .pem files and none worked as --cacert files to curl when I enabled searchguard.ssl.http.clientauth_mode: REQUIRE.

cat ./example-pki-scripts/kirk.crt.pem ./example-pki-scripts/ca/chain-ca.pem > ./kirk-cert-chain.pem
curl -k https://localhost:9200/_searchguard/sslinfo?pretty -E ./kirk-cert-chain.pem --key ./example-pki-scripts/kirk.key.pem

{
“principal” : “CN=kirk,OU=client,O=client,L=Test,C=DE”,
“peer_certificates” : “3”,
“ssl_protocol” : “TLSv1.2”,
“ssl_cipher” : “TLS_DHE_RSA_WITH_AES_128_CBC_SHA256”,
“ssl_openssl_available” : true,
“ssl_openssl_version” : 268439663,
“ssl_openssl_version_string” : “OpenSSL 1.0.1f 6 Jan 2014”,
“ssl_openssl_non_available_cause” : “”,
“ssl_provider_http” : “OPENSSL”,
“ssl_provider_transport_server” : “OPENSSL”,
“ssl_provider_transport_client” : “OPENSSL”
}

···

On Wednesday, 10 August 2016 20:16:33 UTC+2, Sam Mingolelli wrote:

Same here. I tried doing curl commands using all the generated .pem files and none worked as --cacert files to curl when I enabled searchguard.ssl.http.clientauth_mode: REQUIRE.

Running this gives me:

curl: (58) SSL: Can’t load the certificate “./kirk-cert-chain.pem” and its private key: OSStatus -25299

Does anyone know which of the generated certs I would use to use the JS ES client? I keep getting error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate

···

On Friday, August 12, 2016 at 4:37:51 AM UTC-4, Search Guard wrote:

cat ./example-pki-scripts/kirk.crt.pem ./example-pki-scripts/ca/chain-ca.pem > ./kirk-cert-chain.pem
curl -k https://localhost:9200/_searchguard/sslinfo?pretty -E ./kirk-cert-chain.pem --key ./example-pki-scripts/kirk.key.pem

{
“principal” : “CN=kirk,OU=client,O=client,L=Test,C=DE”,
“peer_certificates” : “3”,
“ssl_protocol” : “TLSv1.2”,
“ssl_cipher” : “TLS_DHE_RSA_WITH_AES_128_CBC_SHA256”,
“ssl_openssl_available” : true,
“ssl_openssl_version” : 268439663,
“ssl_openssl_version_string” : “OpenSSL 1.0.1f 6 Jan 2014”,
“ssl_openssl_non_available_cause” : “”,
“ssl_provider_http” : “OPENSSL”,
“ssl_provider_transport_server” : “OPENSSL”,
“ssl_provider_transport_client” : “OPENSSL”
}

On Wednesday, 10 August 2016 20:16:33 UTC+2, Sam Mingolelli wrote:

Same here. I tried doing curl commands using all the generated .pem files and none worked as --cacert files to curl when I enabled searchguard.ssl.http.clientauth_mode: REQUIRE.