Hi,
we want to upgrade to ElasticSearch-6.2.4 and searchguard-6.
Therefore we need an additional Admin/Client certificate for searchguard, using the same as the node certificate is prohibited from now on.
We are running a simple setup, ELK with one node only - and all on one server.
I´ve added a client certificate to the keystore.jks we are using, the alias is “sgadmin”:
Here´s the call:
./sgadmin.sh --diagnose --configdir /path/to/elasticsearch-6.2.4/plugins/search-guard-6/sgconfig --clustername log-cluster --fail-fast -nhnv --keystore /path/to/environments/MY_ENV/keystore.jks --keystore-password ****** --disable-host-name-verification --truststore /path/to/environments/MY_ENV/truststore.jks --truststore-password ***** -ksalias sgadmin
``
The result looks like:
Search Guard Admin v6
Will connect to localhost:9300 … done
18:38:39.936 [main] ERROR com.floragunn.searchguard.ssl.util.SSLCertificateHelper - Alias sgadmin does not exist or contain a certificate chain
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:104)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:105)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:130)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:262)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:871)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named sgadmin]; nested: KeyStoreException[no key alias named sgadmin];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:276)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:183)
… 12 more
Caused by: java.security.KeyStoreException: no key alias named sgadmin
at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:241)
… 15 more
``
The “sgadmin” certificate is a trusted certificate, I´ve added it to the keystore.jks using KeyStore Explorer - but without the whole certificate chain (Root CA and intermediate CA).
If I open the keystore.jks with java keytool instead, the alias is found:
$ keytool -list -keystore /global/zebra/elkstack/environments/MY_ENV/lizebrav1.bmwgroup.net.jks -alias sgadmin Enter keystore password:
sgadmin, Jun 28, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 6F:15:DD:B1::F7:41:1C::D3:83:DA::53:75:51::33:E8:98
``
Any idea, why sgadmin complains about missing alias ?
Thanx for any help,
Torsten
When you use an intermediate certificate, you usually place it alongside the leaf node. So the server will provide the lead cert plus any intermediate certificates, and the client validates everything against the root CA. So, in this case, you might want to import the admin certificate with your intermediate certificate in the keystore.
You can of course also use PEM certificates here, so if you have all you certificates in PEM format there’s actually no real technical need to import them into a truststore.
···
On Thursday, June 28, 2018 at 7:49:59 PM UTC+2, Torsten Reinhard wrote:
Hi,
we want to upgrade to ElasticSearch-6.2.4 and searchguard-6.
Therefore we need an additional Admin/Client certificate for searchguard, using the same as the node certificate is prohibited from now on.
We are running a simple setup, ELK with one node only - and all on one server.
I´ve added a client certificate to the keystore.jks we are using, the alias is “sgadmin”:
Here´s the call:
./sgadmin.sh --diagnose --configdir /path/to/elasticsearch-6.2.4/plugins/search-guard-6/sgconfig --clustername log-cluster --fail-fast -nhnv --keystore /path/to/environments/MY_ENV/keystore.jks --keystore-password ****** --disable-host-name-verification --truststore /path/to/environments/MY_ENV/truststore.jks --truststore-password ***** -ksalias sgadmin
``
The result looks like:
Search Guard Admin v6
Will connect to localhost:9300 … done
18:38:39.936 [main] ERROR com.floragunn.searchguard.ssl.util.SSLCertificateHelper - Alias sgadmin does not exist or contain a certificate chain
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563)
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:104)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:105)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:130)
at org.elasticsearch.client.transport.TransportClient.(TransportClient.java:262)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.(SearchGuardAdmin.java:871)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554)
… 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer: java.security.KeyStoreException: no key alias named sgadmin]; nested: KeyStoreException[no key alias named sgadmin];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:276)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.(DefaultSearchGuardKeyStore.java:145)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.(SearchGuardSSLPlugin.java:193)
at com.floragunn.searchguard.SearchGuardPlugin.(SearchGuardPlugin.java:183)
… 12 more
Caused by: java.security.KeyStoreException: no key alias named sgadmin
at com.floragunn.searchguard.ssl.util.SSLCertificateHelper.exportDecryptedKey(SSLCertificateHelper.java:136)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:241)
… 15 more
``
The “sgadmin” certificate is a trusted certificate, I´ve added it to the keystore.jks using KeyStore Explorer - but without the whole certificate chain (Root CA and intermediate CA).
If I open the keystore.jks with java keytool instead, the alias is found:
$ keytool -list -keystore /global/zebra/elkstack/environments/MY_ENV/lizebrav1.bmwgroup.net.jks -alias sgadmin Enter keystore password:
sgadmin, Jun 28, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 6F:15:DD:B1::F7:41:1C::D3:83:DA::53:75:51::33:E8:98
``
Any idea, why sgadmin complains about missing alias ?
Thanx for any help,
Torsten