SSL Connection Problem between Logstash and ElasticSearch with SearchGuard

Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.

Any help would be really appreciated.

  • Search Guard and Elasticsearch version

ES Version: 5.6.5

Search Guard Version: 5.6.5-18

Logstash Version: 5.6.5

  • JVM version and operating system version:

JVM: 8

OS: Windows 10 Pro 64-bit

  • Logstash Conf File:

input { stdin { } }

output {

elasticsearch {

       user => logstash

password => logstash

       hosts => "131.101.126.39"

ssl => true

ssl_certificate_verification => false

}

}

  • Elasticsearch log messages on debug level

[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]

Can you pls. post you elasticsearch.yml?
Can you access elasticsearch with a curl command like:

curl -kSsvv https://131.101.126.39:9200/ -u logstash:logstash

···

On Friday, 29 December 2017 00:10:09 UTC+1, Andrés González wrote:

Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.

Any help would be really appreciated.

  • Search Guard and Elasticsearch version

ES Version: 5.6.5

Search Guard Version: 5.6.5-18

Logstash Version: 5.6.5

  • JVM version and operating system version:

JVM: 8

OS: Windows 10 Pro 64-bit

  • Logstash Conf File:

input { stdin { } }

output {

elasticsearch {

     user => logstash

password => logstash

     hosts => "131.101.126.39"

ssl => true

ssl_certificate_verification => false

}

}

  • Elasticsearch log messages on debug level

[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]

Hi,
I have the same issue,
here are my curl output

curl -kSsvv https://10.30.192.201:9200/ -u logstash:logstash

  • Trying 10.30.192.201…
  • Connected to 10.30.192.201 (10.30.192.201) port 9200 (#0)
  • found 173 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 692 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
  •  server certificate verification SKIPPED
    
  •  server certificate status verification SKIPPED
    
  •  common name: node-0.example.com (does not match '10.30.192.201')
    
  •  server certificate expiration date OK
    
  •  server certificate activation date OK
    
  •  certificate public key: RSA
    
  •  certificate version: #3
    
  •  start date: Wed, 04 May 2016 20:45:28 GMT
    
  •  expire date: Fri, 04 May 2018 20:45:28 GMT
    
  •  issuer: DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Signing CA,CN=Example Com Inc. Signing CA
    
  •  compression: NULL
    
  • ALPN, server did not agree to a protocol
  • Server auth using Basic with user ‘logstash’

GET / HTTP/1.1
Host: 10.30.192.201:9200
Authorization: Basic bG9nc3Rhc2g6bG9nc3Rhc2g=
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 434
<
{
“name” : “node-1”,
“cluster_name” : “searchguard_demo”,
“cluster_uuid” : “Mr3CNnx8TZC0Z9bCiDP9eQ”,
“version” : {
“number” : “6.1.0”,
“build_hash” : “c0c1ba0”,
“build_date” : “2017-12-12T12:32:54.550Z”,
“build_snapshot” : false,
“lucene_version” : “7.1.0”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

  • Connection #0 to host 10.30.192.201 left intact

--------------- and here my logstash output conf
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [“https://10.30.192.201:9200”,“https://10.30.192.202:9200”,“https://10.30.192.203:9200”]
user => “logstash”
password => “logstash”
ssl => “true”
ssl_certificate_verification => “false”
index => “fortinet-%{+YYYY.MM.dd}”
}
}

···
  •  subject: C=DE,L=Test,O=Test,OU=SSL,CN=node-0.example.com
    

On Friday, December 29, 2017 at 10:14:34 PM UTC+1, Search Guard wrote:

Can you pls. post you elasticsearch.yml?
Can you access elasticsearch with a curl command like:

curl -kSsvv https://131.101.126.39:9200/ -u logstash:logstash

On Friday, 29 December 2017 00:10:09 UTC+1, Andrés González wrote:

Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.

Any help would be really appreciated.

  • Search Guard and Elasticsearch version

ES Version: 5.6.5

Search Guard Version: 5.6.5-18

Logstash Version: 5.6.5

  • JVM version and operating system version:

JVM: 8

OS: Windows 10 Pro 64-bit

  • Logstash Conf File:

input { stdin { } }

output {

elasticsearch {

     user => logstash

password => logstash

     hosts => "131.101.126.39"

ssl => true

ssl_certificate_verification => false

}

}

  • Elasticsearch log messages on debug level

[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]

you have to configure “cacert” or “truststore” on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.

See also http://docs.search-guard.com/latest/logstash#using-search-guard-with-logstash

···

On Saturday, 30 December 2017 14:54:39 UTC+1, Omar mézrag wrote:

Can you pls. post you elasticsearch.yml?
Can you access elasticsearch with a curl command like:

curl -kSsvv https://131.101.126.39:9200/ -u logstash:logstash

On Friday, 29 December 2017 00:10:09 UTC+1, Andrés González wrote:

Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.

Any help would be really appreciated.

  • Search Guard and Elasticsearch version

ES Version: 5.6.5

Search Guard Version: 5.6.5-18

Logstash Version: 5.6.5

  • JVM version and operating system version:

JVM: 8

OS: Windows 10 Pro 64-bit

  • Logstash Conf File:

input { stdin { } }

output {

elasticsearch {

     user => logstash

password => logstash

     hosts => "131.101.126.39"

ssl => true

ssl_certificate_verification => false

}

}

  • Elasticsearch log messages on debug level

[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]

Hi,
I have the same issue,
here are my curl output

curl -kSsvv https://10.30.192.201:9200/ -u logstash:logstash

  • Trying 10.30.192.201…
  • Connected to 10.30.192.201 (10.30.192.201) port 9200 (#0)
  • found 173 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 692 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
  •  server certificate verification SKIPPED
    
  •  server certificate status verification SKIPPED
    
  •  common name: [node-0.example.com](http://node-0.example.com) (does not match '10.30.192.201')
    
  •  server certificate expiration date OK
    
  •  server certificate activation date OK
    
  •  certificate public key: RSA
    
  •  certificate version: #3
    
  •  subject: C=DE,L=Test,O=Test,OU=SSL,CN=[node-0.example.com](http://node-0.example.com)
    
  •  start date: Wed, 04 May 2016 20:45:28 GMT
    
  •  expire date: Fri, 04 May 2018 20:45:28 GMT
    
  •  issuer: DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Signing CA,CN=Example Com Inc. Signing CA
    
  •  compression: NULL
    
  • ALPN, server did not agree to a protocol
  • Server auth using Basic with user ‘logstash’

GET / HTTP/1.1
Host: 10.30.192.201:9200
Authorization: Basic bG9nc3Rhc2g6bG9nc3Rhc2g=
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 434
<
{
“name” : “node-1”,
“cluster_name” : “searchguard_demo”,
“cluster_uuid” : “Mr3CNnx8TZC0Z9bCiDP9eQ”,
“version” : {
“number” : “6.1.0”,
“build_hash” : “c0c1ba0”,
“build_date” : “2017-12-12T12:32:54.550Z”,
“build_snapshot” : false,
“lucene_version” : “7.1.0”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

  • Connection #0 to host 10.30.192.201 left intact

--------------- and here my logstash output conf
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [“https://10.30.192.201:9200”,“https://10.30.192.202:9200”,“https://10.30.192.203:9200”]
user => “logstash”
password => “logstash”
ssl => “true”
ssl_certificate_verification => “false”
index => “fortinet-%{+YYYY.MM.dd}”
}
}

On Friday, December 29, 2017 at 10:14:34 PM UTC+1, Search Guard wrote:

Hi,

I have exactly the same problem as Andrés.

And when I add “cacert” or “truststore” on the elasticsearch output plugin in logstash.conf, the error “SSL Problem Received fatal alert: certificate_unknown” disappears but I have a new error that seems to indicate that Logstash is trying to communicate with Elasticsearch in HTTP instead of HTTPS.

I used the online generator to generate all certificate (https://search-guard.com/tls-certificate-generator/).

Do you have any idea ?

Regards,

···

Le samedi 30 décembre 2017 20:51:42 UTC+1, Search Guard a écrit :

you have to configure “cacert” or “truststore” on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.

See also http://docs.search-guard.com/latest/logstash#using-search-guard-with-logstash

On Saturday, 30 December 2017 14:54:39 UTC+1, Omar mézrag wrote:

Can you pls. post you elasticsearch.yml?
Can you access elasticsearch with a curl command like:

curl -kSsvv https://131.101.126.39:9200/ -u logstash:logstash

On Friday, 29 December 2017 00:10:09 UTC+1, Andrés González wrote:

Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.

Any help would be really appreciated.

  • Search Guard and Elasticsearch version

ES Version: 5.6.5

Search Guard Version: 5.6.5-18

Logstash Version: 5.6.5

  • JVM version and operating system version:

JVM: 8

OS: Windows 10 Pro 64-bit

  • Logstash Conf File:

input { stdin { } }

output {

elasticsearch {

     user => logstash

password => logstash

     hosts => "131.101.126.39"

ssl => true

ssl_certificate_verification => false

}

}

  • Elasticsearch log messages on debug level

[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]

at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]

Hi,
I have the same issue,
here are my curl output

curl -kSsvv https://10.30.192.201:9200/ -u logstash:logstash

  • Trying 10.30.192.201…
  • Connected to 10.30.192.201 (10.30.192.201) port 9200 (#0)
  • found 173 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 692 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
  •  server certificate verification SKIPPED
    
  •  server certificate status verification SKIPPED
    
  •  common name: [node-0.example.com](http://node-0.example.com) (does not match '10.30.192.201')
    
  •  server certificate expiration date OK
    
  •  server certificate activation date OK
    
  •  certificate public key: RSA
    
  •  certificate version: #3
    
  •  subject: C=DE,L=Test,O=Test,OU=SSL,CN=[node-0.example.com](http://node-0.example.com)
    
  •  start date: Wed, 04 May 2016 20:45:28 GMT
    
  •  expire date: Fri, 04 May 2018 20:45:28 GMT
    
  •  issuer: DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Signing CA,CN=Example Com Inc. Signing CA
    
  •  compression: NULL
    
  • ALPN, server did not agree to a protocol
  • Server auth using Basic with user ‘logstash’

GET / HTTP/1.1
Host: 10.30.192.201:9200
Authorization: Basic bG9nc3Rhc2g6bG9nc3Rhc2g=
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 434
<
{
“name” : “node-1”,
“cluster_name” : “searchguard_demo”,
“cluster_uuid” : “Mr3CNnx8TZC0Z9bCiDP9eQ”,
“version” : {
“number” : “6.1.0”,
“build_hash” : “c0c1ba0”,
“build_date” : “2017-12-12T12:32:54.550Z”,
“build_snapshot” : false,
“lucene_version” : “7.1.0”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}

  • Connection #0 to host 10.30.192.201 left intact

--------------- and here my logstash output conf
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => [“https://10.30.192.201:9200”,“https://10.30.192.202:9200”,“https://10.30.192.203:9200”]
user => “logstash”
password => “logstash”
ssl => “true”
ssl_certificate_verification => “false”
index => “fortinet-%{+YYYY.MM.dd}”
}
}

On Friday, December 29, 2017 at 10:14:34 PM UTC+1, Search Guard wrote:

https://groups.google.com/forum/#!searchin/search-guard/ssl_certificate_verification|sort:date/search-guard/3jBVTin7ymY/EreVEMG7CAAJ

you have to configure "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.
See also http://docs.search-guard.com/latest/logstash#using-search-guard-with-logstash

···

Am 13.03.2018 um 21:38 schrieb Florent LEPOUTRE <florent.lepoutre@gmail.com>:

Hi,
I have exactly the same problem as Andrés.
And when I add "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf, the error "SSL Problem Received fatal alert: certificate_unknown" disappears but I have a new error that seems to indicate that Logstash is trying to communicate with Elasticsearch in HTTP instead of HTTPS.
I used the online generator to generate all certificate (https://search-guard.com/tls-certificate-generator/).
Do you have any idea ?

Regards,

Le samedi 30 décembre 2017 20:51:42 UTC+1, Search Guard a écrit :
you have to configure "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.
See also http://docs.search-guard.com/latest/logstash#using-search-guard-with-logstash

On Saturday, 30 December 2017 14:54:39 UTC+1, Omar mézrag wrote:
Hi,
I have the same issue,
here are my curl output

# curl -kSsvv https://10.30.192.201:9200/ -u logstash:logstash
* Trying 10.30.192.201...
* Connected to 10.30.192.201 (10.30.192.201) port 9200 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: node-0.example.com (does not match '10.30.192.201')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=DE,L=Test,O=Test,OU=SSL,CN=node-0.example.com
* start date: Wed, 04 May 2016 20:45:28 GMT
* expire date: Fri, 04 May 2018 20:45:28 GMT
* issuer: DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Signing CA,CN=Example Com Inc. Signing CA
* compression: NULL
* ALPN, server did not agree to a protocol
* Server auth using Basic with user 'logstash'
> GET / HTTP/1.1
> Host: 10.30.192.201:9200
> Authorization: Basic bG9nc3Rhc2g6bG9nc3Rhc2g=
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 434
<
{
  "name" : "node-1",
  "cluster_name" : "searchguard_demo",
  "cluster_uuid" : "Mr3CNnx8TZC0Z9bCiDP9eQ",
  "version" : {
    "number" : "6.1.0",
    "build_hash" : "c0c1ba0",
    "build_date" : "2017-12-12T12:32:54.550Z",
    "build_snapshot" : false,
    "lucene_version" : "7.1.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host 10.30.192.201 left intact

--------------- and here my logstash output conf
output {
    stdout {
        codec => rubydebug
    }
    elasticsearch {
        hosts => [“https://10.30.192.201:9200”,“https://10.30.192.202:9200”,“https://10.30.192.203:9200”]
        user => “logstash”
        password => “logstash”
        ssl => “true”
        ssl_certificate_verification => “false”
        index => “fortinet-%{+YYYY.MM.dd}”
    }
}

On Friday, December 29, 2017 at 10:14:34 PM UTC+1, Search Guard wrote:
Can you pls. post you elasticsearch.yml?
Can you access elasticsearch with a curl command like:

curl -kSsvv https://131.101.126.39:9200/ -u logstash:logstash

On Friday, 29 December 2017 00:10:09 UTC+1, Andrés González wrote:
Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.

Any help would be really appreciated.

* Search Guard and Elasticsearch version
      ES Version: 5.6.5
      Search Guard Version: 5.6.5-18
      Logstash Version: 5.6.5

* JVM version and operating system version:
     JVM: 8
     OS: Windows 10 Pro 64-bit

* Logstash Conf File:
    input { stdin { } }

    output {
        elasticsearch {
         user => logstash
               password => logstash
         hosts => "131.101.126.39"
              ssl => true
              ssl_certificate_verification => false
        }
     }
      
* Elasticsearch log messages on debug level

[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
        at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
        at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
        at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/738e502b-21af-40a8-ad3e-d98b06499bf5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.