Search Guard not initialized (SG11) searchguard 6.7.1

#1

Hello? i try to configure search guard search-guard-6-6.7.1-25.1.zip wit elastic search 6.7.1.
When i add my cert elasticsearch start but, I have an error Search Guard not initialized (SG11). Then i rm /etc/elasticsearch /usr/share/elasticsearch /var/lib/elasticsearch and reinstall elasticsearch. Then i Try to install demo_configuration and i have the same error Search Guard not initialized (SG11)
And I have one more question. How can i generete or create csr to admin cert< when i use wildcard cert and root-ca-cert from my company?

.elasticsearch.log (9.1 KB)
elasticsearch.yml (4.0 KB)
searchguard_demo.log (150.9 KB)

When posting in this category, please add:

If you are using Kibana, please also add:

  • Your kibana.yml configuration file
#2

There seems to be an issue with your cluster state. From the logs I can see that Search Guard is trying to initialise, and when the SG index is created your cluster immediately goes into red cluster state:

[2019-05-13T14:17:11,627][INFO ][o.e.c.m.MetaDataCreateIndexService] [qw113ZZ] [searchguard] creating index, cause [api], templates [], shards [1]/[1], mappings []
[2019-05-13T14:17:11,658][INFO ][o.e.c.r.a.AllocationService] [qw113ZZ] updating number_of_replicas to [0] for indices [searchguard]
[2019-05-13T14:17:11,695][INFO ][o.e.c.r.a.AllocationService] [qw113ZZ] Cluster health status changed from [YELLOW] to [RED] (reason: [index [searchguard] created]).

What does your cluster topology looks like, means how many nodes, master nodes, data nodes etc. do you have?

Regarding the admin cert: This is just a regular TLS client certificate, signed by your companies root CA. The only difference is that you configure it in elasticsearch.yml to be an admin cert. No other requirements apply.

You can use any tool to generate the CSR, like OpenSSL or our own TLS Tool:

assigned jkressin #3
#4

Thank you very much! This is a test server.Yesterday evening i add to sgadmin --accept-red-cluster and SG is initialised. Can you please give an example about generate admin cert.

#5

An admin certificate is no different from other certificates. So if you already have generated CSRs for your cluster, you just need to generate another CSR for the admin cert and submit it to your PKI. Then you just need to configure it in elasticsearch.yml like:

searchguard.authcz.admin_dn:
  - CN=kirk,OU=client,O=client,L=test, C=de

Let me know if I did not understand your question correctly.

#6

Thank you very much. it works. But i have a new problem. In local machine elk6.7.1. and SG6.7.1 works correctly. When i add my cert in a docker container I have this output:
[root@41b97860da99 tools]# bash sgadmin.sh --accept-red-cluster --enable-shard-allocation -key /usr/share/elasticsearch/config/admin1.key -cert /usr/share/elasticsearch/config/admin.pem -cacert /usr/share/elasticsearch/config/root-ca.pem -icl -nhnv -h linuxtest.**** -p 26300
Search Guard Admin v6
Will connect to linuxtest.******:26300 … done
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:614)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:119)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:110)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:135)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:277)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:914)
at com.floragunn.searchguard.tools.SearchGuardAdmin.execute(SearchGuardAdmin.java:451)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:481)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: javax.net.ssl.SSLException: failed to initialize the server-side SSL context]; nested: SSLException[failed to initialize the server-side SSL context]; nested: KeyStoreException[Key protection algorithm not found: java.security.KeyStoreException: Certificate chain is not valid]; nested: KeyStoreException[Certificate chain is not valid];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:351)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:151)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:194)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:214)
… 13 more
Caused by: javax.net.ssl.SSLException: failed to initialize the server-side SSL context
at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:278)
at io.netty.handler.ssl.JdkSslServerContext.(JdkSslServerContext.java:237)
at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:416)
at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:447)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore$1.run(DefaultSearchGuardKeyStore.java:785)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore$1.run(DefaultSearchGuardKeyStore.java:782)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:551)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLContext0(DefaultSearchGuardKeyStore.java:782)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:746)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:338)
… 16 more
Caused by: java.security.KeyStoreException: Key protection algorithm not found: java.security.KeyStoreException: Certificate chain is not valid
at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:696)
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:593)
at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111)
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1004)
at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1158)
at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1149)
at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:256)
… 25 more
Caused by: java.security.KeyStoreException: Certificate chain is not valid
at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:643)
… 32 more

I don’t understand why my cert are invalid in docker container.

elasticsearch.yml (848 Bytes)

docker image is elasticsearch:6.7.1

#7

Can you please share more details about your docker image and the Java version/vendor you are using.

Maybe the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are not installed (or crypto.policy=unlimited is not set in java-security). That means that you can not use AES 256 or RSA with more than 2048 bit keysize. Without the “Dockerfile” it’s hard to say what’s wrong.

Or you simply did create your certs/keys with a Key protection algorithm (KPA) which is not available in JSSE. Did you create them with OpenSSL or another tool? Please provide mor details about your certs/keys and root/intermediate CA.

#8

Dockerfile (605 Bytes)
This is my docker file. I use an official elasticsearch 6.7.1 image

I create my certs from pfx container with OpenSSLl. On physical machine this cert work correctly. When i add this cert in docker container i have errors

unassigned jkressin #9
assigned hsaly #10
#11

The problem is solved. I create docker image from official centos:latest image. Attach my Dockerfile. Dockerfile (857 Bytes)
Maybe it helps some one

#12

Thanks for sharing the Dockerfile!