Problem when running sgconfig.sh 45.0.0 against localhost

I installed the new standalone sgconfig and I’m unable to run it against localhost. Using -h somenode works fine, but not using -h localhost. I’m running an haproxy instance on localhost that runs in tcp mode against all elasticsearch nodes. Here’s the error:

$ /opt/search-guard/tools/sgadmin.sh -key "/etc/elasticsearch/Foo Admin.key" -cert "/etc/elasticsearch/Foo Admin.crt" -cacert /etc/elasticsearch/ca.crt -cd /opt/search-guard/sgconfig -cn foo -ff -h localhost |grep -vP '^\s'
WARNING: JAVA_HOME not set, will use /usr/bin/java
Search Guard Admin v7
Will connect to localhost:9300 ... done
14:48:40.516 [elasticsearch[_client_][transport_worker][T#4]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
14:48:40.598 [elasticsearch[_client_][transport_worker][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{SxEYJdD_TxqA7SaAAkvrNw}{localhost}{127.0.0.1:9300}]]

it seems one of my nodes had a bogus certificate. No idea why this only triggered on haproxy

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.