Searchguard.nodes_dn incorrect configured

Elasticsearch version:

  • 7.5.2-oss with searchGuard

Describe the issue:

The Elasticsearch Run with the following nodes_dn in elasticsearch.yml:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=another.com,C=BD"

But it fails to run with the following config:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=mydb.com+O=another.com,C=BD"

Error:

{"type": "server", "timestamp": "2021-01-21T15:38:46,803Z", "level": "ERROR", "component": "c.f.s.t.SearchGuardRequestHandler", "cluster.name": "es-combined", "node.name": "es-combined-2", "message": "ElasticsearchException[Illegal parameter in http or transport request found.\nThis means that one node is trying to connect to another with \na non-node certificate (no OID or searchguard.nodes_dn incorrect configured) or that someone \nis spoofing requests. Check your TLS certificate setup as described here: See http://docs.search-guard.com/latest/troubleshooting-tls]" }

My transport certificate:

$ openssl x509 -text -noout -in transport.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0d:43:41:4f:fd:ce:da:48:7b:fa:ce:a3:ad:7a:93:ba
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = elasticsearch, O = kubedb
        Validity
            Not Before: Jan 21 15:22:50 2021 GMT
            Not After : Apr 21 15:22:50 2021 GMT
        Subject: C = BD, O = mydb.com + O = another.com, OU = testing, CN = es-combined-transport

Questions:

  • How to write the nodes_dn when Organization(O)/OrganizationUnits(OU)/Countries(C) is a list/array?

@srgbnd Can you please take a look?

A possible solution is to use regular expressions. For example

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing,O=(mydb|another).com,C=BD"

@srgbnd Thanks!

But It does work with OrganizationUnits:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing+OU=dev,O=mydb.com,C=BD"

Is it a parser bug?

I don’t see regular expression in your example. Try

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=(testing|dev),O=mydb.com,C=BD"

I meant, it does work without the regular expression:

Cluster is up and running without any error with the following config:

searchguard.nodes_dn:
- "CN=es-combined-transport,OU=testing+OU=dev,O=mydb.com,C=BD"

But the parser is failing, If I do the same thing with organization( O ).
I use standard certificate library in my code that read the certificate file and returns the node_dn in standard format, that is why it is not easy for me to use regular expression to workaround the error.

Can you please inform me, whether it is a bug that is going to be fixed in future?

I would like to see the parser error. Share the Elasticsearch log.

Btw, what is the name of the library? Maybe we can configure it to return values in regex somehow?

This is the standard crypto library for Golang:

String returns the string form of n, roughly following the RFC 2253 Distinguished Names syntax.

Show me the Elasticsearch error.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.