SSL Problem Received fatal alert: certificate_unknown

Hello,

ELK_Version: 6.4.2

using docker

install

bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.4.2-23.2

``

bin/kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.4.2-16/search-guard-kibana-plugin-6.4.2-16.zip

``

execute sgadmin:

-> Execute sgadmin.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Elasticsearch Version: 6.4.2

Search Guard Version: 6.4.2-23.2

Connected as CN=testing.test.com

Contacting elasticsearch cluster ‘test-ads’ and wait for YELLOW clusterstate …

Clustername: test-ads

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it … done (0-all replicas)

Populate config from /opt/elasticsearch/plugins/search-guard-6/sgconfig

Will update ‘sg/config’ with …/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with …/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with …/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with …/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with …/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

elasticsearch.yml:

cluster.name: test-ads
node.name: es-test
network.host: 127.0.0.1
searchguard.ssl.transport.pemcert_filepath: nodecert1.pem
searchguard.ssl.transport.pemkey_filepath: nodeprivkey1.pem
searchguard.ssl.transport.pemtrustedcas_filepath: nodefullchain1.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: cert1.pem
searchguard.ssl.http.pemkey_filepath: privkey1.pem
searchguard.ssl.http.pemtrustedcas_filepath: fullchain1.pem
searchguard.nodes_dn:

  • CN=localhost,O=Let’s Encrypt,C=US
    searchguard.authcz.admin_dn:
  • CN=testing.test.com
  • “CN=*.test.com”
    xpack.security.enabled: false

``

kibana.yml:

elasticsearch.url: “https://localhost:9200
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “basicauth”
elasticsearch.requestHeadersWhitelist: [“Authorization”, “sgtenant”, “testing”]
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: false

``

when tray connect:

curl -k https://admin:admin@testing.test.com:9200/

curl: (7) Failed to connect to testing.test.com port 9200: Connection refused

``

when i restart elasticsearch and kibana:

[2018-11-30T08:42:16,349][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-test] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2018-11-30T08:42:16,786][INFO ][o.e.n.Node ] [es-test] stopping …

[2018-11-30T08:42:16,793][INFO ][c.f.s.a.s.SinkProvider ] Closing DebugSink

[2018-11-30T08:42:16,816][INFO ][o.e.x.w.WatcherService ] [es-test] stopping watch service, reason [shutdown initiated]

``

  • Installed and used enterprise modules, if any

  • JVM version and operating system version

  • Search Guard configuration files

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Can you please run
curl -k -vv -u admin:admin https://testing.test.com:9200/

``

and post the results. I think this is just a connectivity issue and there is nothing listening on testing.test.com:9200
This is likely because of “network.host: 127.0.0.1”. Change this to “network.host: 0.0.0.0” or “network.host: testing.test.com

when I run curl -k -vv -u admin:admin https://testing.test.com:9200/

  • Trying 172.104.151.158…
  • TCP_NODELAY set
  • connect to 172.104.151.158 port 9200 failed: Connection refused
  • Failed to connect to testing.test.com port 9200: Connection refused
  • Closing connection 0
    curl: (7) Failed to connect totesting.test.com port 9200: Connection refused

``

Dana petak, 30. studenoga 2018. u 10:31:01 UTC+1, korisnik easy shop napisao je:

···

Hello,

ELK_Version: 6.4.2

using docker

install

bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.4.2-23.2

``

bin/kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.4.2-16/search-guard-kibana-plugin-6.4.2-16.zip

``

execute sgadmin:

-> Execute sgadmin.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Elasticsearch Version: 6.4.2

Search Guard Version: 6.4.2-23.2

Connected as CN=testing.test.com

Contacting elasticsearch cluster ‘test-ads’ and wait for YELLOW clusterstate …

Clustername: test-ads

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it … done (0-all replicas)

Populate config from /opt/elasticsearch/plugins/search-guard-6/sgconfig

Will update ‘sg/config’ with …/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with …/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with …/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with …/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with …/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

elasticsearch.yml:

cluster.name: test-ads
node.name: es-test
network.host: 127.0.0.1
searchguard.ssl.transport.pemcert_filepath: nodecert1.pem
searchguard.ssl.transport.pemkey_filepath: nodeprivkey1.pem
searchguard.ssl.transport.pemtrustedcas_filepath: nodefullchain1.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: cert1.pem
searchguard.ssl.http.pemkey_filepath: privkey1.pem
searchguard.ssl.http.pemtrustedcas_filepath: fullchain1.pem
searchguard.nodes_dn:

  • CN=localhost,O=Let’s Encrypt,C=US
    searchguard.authcz.admin_dn:
  • “CN=testing.test.com
  • “CN=*.test.com
    xpack.security.enabled: false

``

kibana.yml:

elasticsearch.url: “https://localhost:9200
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “basicauth”
elasticsearch.requestHeadersWhitelist: [“Authorization”, “sgtenant”, “testing”]
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: false

``

when tray connect:

curl -k https://admin:admin@testing.test.com:9200/

curl: (7) Failed to connect to testing.test.com port 9200: Connection refused

``

when i restart elasticsearch and kibana:

[2018-11-30T08:42:16,349][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-test] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2018-11-30T08:42:16,786][INFO ][o.e.n.Node ] [es-test] stopping …

[2018-11-30T08:42:16,793][INFO ][c.f.s.a.s.SinkProvider ] Closing DebugSink

[2018-11-30T08:42:16,816][INFO ][o.e.x.w.WatcherService ] [es-test] stopping watch service, reason [shutdown initiated]

``

  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

now work when i run curl -k -vv -u admin:admin https://testing.test.com:9200/

but I get new error for logstash and elasticsearch:

elasticsearch log:

[2018-12-21T10:17:12,556][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-index] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

``

logstash log:

[2018-12-21T10:17:57,759][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>“https://admin:xxxxxx@localhost:9200/”, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>“Elasticsearch Unreachable: [https://admin:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”}

``

Dana petak, 30. studenoga 2018. u 10:31:01 UTC+1, korisnik easy shop napisao je:

···

Hello,

ELK_Version: 6.4.2

using docker

install

bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.4.2-23.2

``

bin/kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.4.2-16/search-guard-kibana-plugin-6.4.2-16.zip

``

execute sgadmin:

-> Execute sgadmin.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 … done

Elasticsearch Version: 6.4.2

Search Guard Version: 6.4.2-23.2

Connected as CN=testing.test.com

Contacting elasticsearch cluster ‘test-ads’ and wait for YELLOW clusterstate …

Clustername: test-ads

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it … done (0-all replicas)

Populate config from /opt/elasticsearch/plugins/search-guard-6/sgconfig

Will update ‘sg/config’ with …/sgconfig/sg_config.yml

SUCC: Configuration for ‘config’ created or updated

Will update ‘sg/roles’ with …/sgconfig/sg_roles.yml

SUCC: Configuration for ‘roles’ created or updated

Will update ‘sg/rolesmapping’ with …/sgconfig/sg_roles_mapping.yml

SUCC: Configuration for ‘rolesmapping’ created or updated

Will update ‘sg/internalusers’ with …/sgconfig/sg_internal_users.yml

SUCC: Configuration for ‘internalusers’ created or updated

Will update ‘sg/actiongroups’ with …/sgconfig/sg_action_groups.yml

SUCC: Configuration for ‘actiongroups’ created or updated

Done with success

``

elasticsearch.yml:

cluster.name: test-ads
node.name: es-test
network.host: 127.0.0.1
searchguard.ssl.transport.pemcert_filepath: nodecert1.pem
searchguard.ssl.transport.pemkey_filepath: nodeprivkey1.pem
searchguard.ssl.transport.pemtrustedcas_filepath: nodefullchain1.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: cert1.pem
searchguard.ssl.http.pemkey_filepath: privkey1.pem
searchguard.ssl.http.pemtrustedcas_filepath: fullchain1.pem
searchguard.nodes_dn:

  • CN=localhost,O=Let’s Encrypt,C=US
    searchguard.authcz.admin_dn:
  • “CN=testing.test.com
  • “CN=*.test.com
    xpack.security.enabled: false

``

kibana.yml:

elasticsearch.url: “https://localhost:9200
elasticsearch.username: “admin”
elasticsearch.password: “admin”
searchguard.auth.type: “basicauth”
elasticsearch.requestHeadersWhitelist: [“Authorization”, “sgtenant”, “testing”]
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: false

``

when tray connect:

curl -k https://admin:admin@testing.test.com:9200/

curl: (7) Failed to connect to testing.test.com port 9200: Connection refused

``

when i restart elasticsearch and kibana:

[2018-11-30T08:42:16,349][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-test] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2018-11-30T08:42:16,786][INFO ][o.e.n.Node ] [es-test] stopping …

[2018-11-30T08:42:16,793][INFO ][c.f.s.a.s.SinkProvider ] Closing DebugSink

[2018-11-30T08:42:16,816][INFO ][o.e.x.w.WatcherService ] [es-test] stopping watch service, reason [shutdown initiated]

``

  • Installed and used enterprise modules, if any
  • JVM version and operating system version
  • Search Guard configuration files
  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

i guess you are missing something like
   elasticsearch.ssl.certificateAuthorities: "/path/to/your/root-ca.pem"
in your kibana.yml

See https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-the-root-ca

···

Am 21.12.2018 um 11:19 schrieb easy shop <easyshop109@gmail.com>:

now work when i run curl -k -vv -u admin:admin https://testing.test.com:9200/

but I get new error for logstash and elasticsearch:

elasticsearch log:
[2018-12-21T10:17:12,556][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-index] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

logstash log:
[2018-12-21T10:17:57,759][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://admin:xxxxxx@localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://admin:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

Dana petak, 30. studenoga 2018. u 10:31:01 UTC+1, korisnik easy shop napisao je:
Hello,

ELK_Version: 6.4.2

using docker

install

bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.4.2-23.2
bin/kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.4.2-16/search-guard-kibana-plugin-6.4.2-16.zip

execute sgadmin:

-> Execute sgadmin.sh

WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 ... done

Elasticsearch Version: 6.4.2

Search Guard Version: 6.4.2-23.2

Connected as CN=testing.test.com

Contacting elasticsearch cluster 'test-ads' and wait for YELLOW clusterstate ...

Clustername: test-ads

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done (0-all replicas)

Populate config from /opt/elasticsearch/plugins/search-guard-6/sgconfig

Will update 'sg/config' with ../sgconfig/sg_config.yml

   SUCC: Configuration for 'config' created or updated

Will update 'sg/roles' with ../sgconfig/sg_roles.yml

   SUCC: Configuration for 'roles' created or updated

Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml

   SUCC: Configuration for 'rolesmapping' created or updated

Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml

   SUCC: Configuration for 'internalusers' created or updated

Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml

   SUCC: Configuration for 'actiongroups' created or updated

Done with success

elasticsearch.yml:

cluster.name: test-ads
node.name: es-test
network.host: 127.0.0.1
searchguard.ssl.transport.pemcert_filepath: nodecert1.pem
searchguard.ssl.transport.pemkey_filepath: nodeprivkey1.pem
searchguard.ssl.transport.pemtrustedcas_filepath: nodefullchain1.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: cert1.pem
searchguard.ssl.http.pemkey_filepath: privkey1.pem
searchguard.ssl.http.pemtrustedcas_filepath: fullchain1.pem
searchguard.nodes_dn:
- CN=localhost,O=Let's Encrypt,C=US
searchguard.authcz.admin_dn:
- "CN=testing.test.com"
- "CN=*.test.com"
xpack.security.enabled: false

kibana.yml:
elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
searchguard.auth.type: "basicauth"
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant", "testing"]
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: false

when tray connect:

curl -k https://admin:admin@testing.test.com:9200/

curl: (7) Failed to connect to testing.test.com port 9200: Connection refused

when i restart elasticsearch and kibana:

[2018-11-30T08:42:16,349][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-test] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181]

at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2018-11-30T08:42:16,786][INFO ][o.e.n.Node ] [es-test] stopping ...

[2018-11-30T08:42:16,793][INFO ][c.f.s.a.s.SinkProvider ] Closing DebugSink

[2018-11-30T08:42:16,816][INFO ][o.e.x.w.WatcherService ] [es-test] stopping watch service, reason [shutdown initiated]

* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d23bda2d-5ebe-4ef0-927d-37cf4f6595ee%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.