Searchguard.nodes_dn incorrect configured

kamolhasan · January 21, 2021, 4:05pm

Elasticsearch version:

7.5.2-oss with searchGuard

Describe the issue:

The Elasticsearch Run with the following nodes_dn in elasticsearch.yml:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=another.com,C=BD"

But it fails to run with the following config:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=mydb.com+O=another.com,C=BD"

Error:

{"type": "server", "timestamp": "2021-01-21T15:38:46,803Z", "level": "ERROR", "component": "c.f.s.t.SearchGuardRequestHandler", "cluster.name": "es-combined", "node.name": "es-combined-2", "message": "ElasticsearchException[Illegal parameter in http or transport request found.\nThis means that one node is trying to connect to another with \na non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someone \nis spoofing requests. Check your TLS certificate setup as described here: See http://docs.search-guard.com/latest/troubleshooting-tls]" }

My transport certificate:

$ openssl x509 -text -noout -in transport.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:43:41:4f:fd:ce:da:48:7b:fa:ce:a3:ad:7a:93:ba
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = elasticsearch, O = kubedb
        Validity
            Not Before: Jan 21 15:22:50 2021 GMT
            Not After : Apr 21 15:22:50 2021 GMT
        Subject: C = BD, O = mydb.com + O = another.com, OU = testing, CN = es-combined-transport

Questions:

How to write the nodes_dn when Organization(O)/OrganizationUnits(OU)/Countries© is a list/array?

kamolhasan · January 22, 2021, 3:58am

@srgbnd Can you please take a look?

srgbnd · January 22, 2021, 9:44am

A possible solution is to use regular expressions. For example

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=(mydb|another).com,C=BD"

kamolhasan · January 22, 2021, 10:11am

@srgbnd Thanks!

But It does work with OrganizationUnits:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing+OU=dev,O=mydb.com,C=BD"

Is it a parser bug?

srgbnd · January 22, 2021, 6:18pm

I don’t see regular expression in your example. Try

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=(testing|dev),O=mydb.com,C=BD"

kamolhasan · January 23, 2021, 3:18pm

I meant, it does work without the regular expression:

Cluster is up and running without any error with the following config:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing+OU=dev,O=mydb.com,C=BD"

But the parser is failing, If I do the same thing with organization( O ).
I use standard certificate library in my code that read the certificate file and returns the node_dn in standard format, that is why it is not easy for me to use regular expression to workaround the error.

Can you please inform me, whether it is a bug that is going to be fixed in future?

srgbnd · January 25, 2021, 7:30am

I would like to see the parser error. Share the Elasticsearch log.

srgbnd · January 25, 2021, 7:31am

Btw, what is the name of the library? Maybe we can configure it to return values in regex somehow?

kamolhasan · January 25, 2021, 8:25am

This is the standard crypto library for Golang:

https://golang.org/pkg/crypto/x509/pkix/#Name.String

String returns the string form of n, roughly following the RFC 2253 Distinguished Names syntax.

srgbnd · January 26, 2021, 1:39pm

Show me the Elasticsearch error.

system · February 16, 2021, 1:39pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.