SSL Problem Received fatal alert: certificate_unknown

Search Guard
1

hi

elasticsearch.yml

searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: sg_admin
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: sg_admin
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.

resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: sg_admin
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.

truststore_password: sg_admin
searchguard.authcz.admin_dn:
- CN=sg_user_admin, OU=client, O=client, L=Test, C=DE
- CN=s_elasticsearch, OU=client, O=client, L=Test, C=DE

Settings settings = Settings.builder()
                .put("[cluster.name](http://cluster.name/)", cluster)

                .put("client.transport.sniff", true)
                .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_FILEPATH, "/home/work/workspace/es_monitor/src/main/resources/sg_user_admin-keystore.jks")
                .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_FILEPATH, "/home/work/workspace/es_monitor/src/main/resources/truststore.jks")
                .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_KEYSTORE_PASSWORD, "sg_admin")
                .put(SSLConfigConstants.SEARCHGUARD_SSL_TRANSPORT_TRUSTSTORE_PASSWORD, "sg_admin")

// .put("path.home","/home/work/app/elasticsearch")
                .put("path.home","/")
                .build();

client = new PreBuiltTransportClient(settings,SearchGuardSSLPlugin.class);
client.threadPool().getThreadContext().putHeader(“Authorization”, "Basic "+ Base64.encode(“cluster_admin:fe32dWAd199”.getBytes()));


but it's  [transport_client_boss][T#5]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem

client log:

17:09:35.683 [elasticsearch[_client_][transport_client_boss][T#4]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) ~[?:1.8.0_111]

	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_111]

	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_111]

	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_111]

	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_111]

	at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:218) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:527) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:481) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.7.Final.jar:4.1.7.Final]

	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_111]

	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_111]

	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[?:1.8.0_111]

	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:1.8.0_111]

	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:1.8.0_111]

	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	... 17 more

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching host1 found.

	at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:204) ~[?:1.8.0_111]

	at sun.security.util.HostnameChecker.match(HostnameChecker.java:95) ~[?:1.8.0_111]

	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:1.8.0_111]

	at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[?:1.8.0_111]

	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[?:1.8.0_111]

	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_111]

	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:1.8.0_111]

	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:1.8.0_111]

	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_111]

	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:1.8.0_111]

	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1167) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1080) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	... 17 more

es master log:

[2017-05-18T17:09:35,682][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [host1] SSL Problem Received fatal alert: certificate_unknown

javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

	at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_111]

	at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:218) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1028) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:950) ~[netty-handler-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-codec-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:527) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:481) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441) [netty-transport-4.1.7.Final.jar:4.1.7.Final]

	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.7.Final.jar:4.1.7.Final]

	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_111]

but  when I ping host1 ,it's ok

cat cluster health, it's ok

curl -XGET 'http://cluster_admin:fe32dWAd199@host1:9200/_cat/health?v&pretty'

epoch      timestamp cluster       status node.total node.data shards pri relo init unassign pending_tasks max_task_wait_time active_shards_percent

1495015936 18:12:16  c3-es-privacy green           5         5     17   7    0    0        0             0                  -                100.0%