SSLHandshakeException: General SSLEngine problem

Daniel_Camara · May 23, 2018, 4:31pm

Hi I am trying to restore an index from one machine to another, with reindex, the problem is that I am having an error that I imagine is linked to search guard.

The source is the machine 128.95.36.46 and the target is 128.95.36.12. I tried to find how to do it, but I admit I didn’ t find some step by step guide. I imagine that I should pass the login and password some how, and I am pretty sure is this the problem. The thing is that i don’ t know how!

when I try this in Kibaana over the machine 128.95.36.46

POST _reindex
{
“source”: {
“remote”: {
“host”: “https://128.95.36.12:9200”
},
“index”: “test1”,
“size”: 10
},
“dest”: {
“index”: “test1”
}
}

I receive the following answer:

{
“error”: {
“root_cause”: [
{
“type”: “s_s_l_handshake_exception”,
“reason”: “General SSLEngine problem”
}
],
“type”: “s_s_l_handshake_exception”,
“reason”: “General SSLEngine problem”,
“caused_by”: {
“type”: “s_s_l_handshake_exception”,
“reason”: “General SSLEngine problem”,
“caused_by”: {
“type”: “validator_exception”,
“reason”: “PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target”,
“caused_by”: {
“type”: “sun_cert_path_builder_exception”,
“reason”: “unable to find valid certification path to requested target”
}
}
}
},
“status”: 500
}

The configuration of the whitelist is reindex.remote.whitelist: 128.95.36.46:9200 in one machine and reindex.remote.whitelist: 128.95.36.12:9200 on the other, is the only thing that changes on the elasticsearc.yml from the two servers. The config files are in attachment to the message.

Thank you for any help

– Daniel

When asking questions, please provide the following information:

Search Guard and Elasticsearch version : 6.2.2
Installed and used enterprise modules: No
JVM version and operating system version: 1.8.0_162 HotSpot
Search Guard configuration files
Elasticsearch log messages on debug level

[2018-05-23T18:05:18,318][WARN ][r.suppressed ] path: /_reindex, params: {}
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) ~[?:?]
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) ~[?:?]
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_121]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) ~[?:?]
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) ~[?:?]
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) ~[?:?]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) ~[?:?]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) ~[?:?]
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) ~[?:?]
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) ~[?:?]
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) ~[?:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
… 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
… 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_121]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
… 9 more

Other installed Elasticsearch or Kibana plugins, if any

sg_config.yml (9.4 KB)

elasticsearch.yml (3.98 KB)

searchguard_google_group · May 24, 2018, 8:06pm

this is likely related to https://github.com/floragunncom/search-guard-ssl/issues/76

···

Am 23.05.2018 um 18:31 schrieb Daniel Camara <danielcamara@gmail.com>:

Hi I am trying to restore an index from one machine to another, with reindex, the problem is that I am having an error that I imagine is linked to search guard.

The source is the machine 128.95.36.46 and the target is 128.95.36.12. I tried to find how to do it, but I admit I didn' t find some step by step guide. I imagine that I should pass the login and password some how, and I am pretty sure is this the problem. The thing is that i don' t know how!

when I try this in Kibaana over the machine 128.95.36.46

POST _reindex
{
  "source": {
    "remote": {
      "host": "https://128.95.36.12:9200"
    },
    "index": "test1",
    "size": 10
  },
  "dest": {
    "index": "test1"
  }
}

I receive the following answer:

{
  "error": {
    "root_cause": [
      {
        "type": "s_s_l_handshake_exception",
        "reason": "General SSLEngine problem"
      }
    ],
    "type": "s_s_l_handshake_exception",
    "reason": "General SSLEngine problem",
    "caused_by": {
      "type": "s_s_l_handshake_exception",
      "reason": "General SSLEngine problem",
      "caused_by": {
        "type": "validator_exception",
        "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",
        "caused_by": {
          "type": "sun_cert_path_builder_exception",
          "reason": "unable to find valid certification path to requested target"
        }
      }
    }
  },
  "status": 500
}

The configuration of the whitelist is reindex.remote.whitelist: 128.95.36.46:9200 in one machine and reindex.remote.whitelist: 128.95.36.12:9200 on the other, is the only thing that changes on the elasticsearc.yml from the two servers. The config files are in attachment to the message.

Thank you for any help

-- Daniel

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version : 6.2.2
* Installed and used enterprise modules: No
* JVM version and operating system version: 1.8.0_162 HotSpot
* Search Guard configuration files

* Elasticsearch log messages on debug level

[2018-05-23T18:05:18,318][WARN ][r.suppressed ] path: /_reindex, params: {}
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) ~[?:?]
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_121]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) ~[?:?]
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) ~[?:?]
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) ~[?:?]
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) ~[?:?]
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) ~[?:?]
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) ~[?:?]
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) ~[?:?]
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) ~[?:?]
    at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:?]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:?]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
    ... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
    ... 9 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_121]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:?]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]
    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]
    ... 9 more

* Other installed Elasticsearch or Kibana plugins, if any

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e581701d-0450-4fd2-88c7-e4373c264001%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.
<sg_config.yml><elasticsearch.yml>

jkressin · May 24, 2018, 10:32pm

So just to clarify, this is related to an Elastissearch bug. We raised an issue in the ES repo:

github.com/elastic/elasticsearch

Remote _reindex fail for HTTPS remotes

opened 10:28AM - 04 Nov 17 UTC

closed 03:18PM - 15 Feb 19 UTC

floragunn

>enhancement help wanted :Distributed/CRUD

**Elasticsearch version** (`bin/elasticsearch --version`): 6.0.0-rc2 **Plugi…ns installed**: [] **JVM version** (`java -version`): n/a **OS version** (`uname -a` if on a Unix-like system): n/a **Description of the problem including expected versus actual behavior**: Remote _reindex fail for HTTPS remotes when remote does use custom CA or requires a client certificate. It seems there are several ssl.* properties missing. For me it should look like: <pre> POST _reindex { "source": { "remote": { "host": "https://otherhost:9200", "username": "user", "password": "pass", "ssl.certificate_authorities": ..., //trust custom CA's "ssl.verification_mode": ..., "ssl.certificate": ..., //client certificate for PKI auth "ssl.key": ..., //client certificate key for PKI auth "ssl.key_passphrase": ..., }, "index": ... </pre> The root cause is that `TransportReindexAction.buildRestClient` does not support custom trusted CA's nor allow the ability to authenticate the initiating cluster via PKI because its not capable of sending client certificates. Its also not possible to adjust the certificate verification mode. If this is not going to be implemented there should be at least a note in the docs about this limitations here: * https://www.elastic.co/guide/en/x-pack/current/security-limitations.html * https://www.elastic.co/guide/en/x-pack/current/ccs-tribe-clients-integrations.html * https://www.elastic.co/guide/en/elasticsearch/reference/6.0/docs-reindex.html This also applies to ES 5.6 and earlier versions.

···

On Thursday, May 24, 2018 at 10:06:22 PM UTC+2, Search Guard wrote:

this is likely related to https://github.com/floragunncom/search-guard-ssl/issues/76

Am 23.05.2018 um 18:31 schrieb Daniel Camara danielcamara@gmail.com:

Hi I am trying to restore an index from one machine to another, with reindex, the problem is that I am having an error that I imagine is linked to search guard.

The source is the machine 128.95.36.46 and the target is 128.95.36.12. I tried to find how to do it, but I admit I didn’ t find some step by step guide. I imagine that I should pass the login and password some how, and I am pretty sure is this the problem. The thing is that i don’ t know how!

when I try this in Kibaana over the machine 128.95.36.46

POST _reindex

{

“source”: {

"remote": {

  "host": "[https://128.95.36.12:9200](https://128.95.36.12:9200)"

},

"index": "test1",

"size": 10

},

“dest”: {

"index": "test1"

}

I receive the following answer:

{

“error”: {

"root_cause": [

    "type": "s_s_l_handshake_exception",

    "reason": "General SSLEngine problem"

],

"type": "s_s_l_handshake_exception",

"reason": "General SSLEngine problem",

"caused_by": {

  "type": "s_s_l_handshake_exception",

  "reason": "General SSLEngine problem",

  "caused_by": {

    "type": "validator_exception",

    "reason": "PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target",

    "caused_by": {

      "type": "sun_cert_path_builder_exception",

      "reason": "unable to find valid certification path to requested target"

},

“status”: 500

}

The configuration of the whitelist is reindex.remote.whitelist: 128.95.36.46:9200 in one machine and reindex.remote.whitelist: 128.95.36.12:9200 on the other, is the only thing that changes on the elasticsearc.yml from the two servers. The config files are in attachment to the message.

Thank you for any help

– Daniel

When asking questions, please provide the following information:

Search Guard and Elasticsearch version : 6.2.2

Installed and used enterprise modules: No

JVM version and operating system version: 1.8.0_162 HotSpot

Search Guard configuration files

Elasticsearch log messages on debug level

[2018-05-23T18:05:18,318][WARN ][r.suppressed ] path: /_reindex, params: {}

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478) ~[?:?]

at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]

at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) ~[?:?]

at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) ~[?:?]

at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_121]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:305) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509) ~[?:?]

at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) ~[?:?]

at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) ~[?:?]

at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) ~[?:?]

at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) ~[?:?]

at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) ~[?:?]

at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) ~[?:?]

at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:588) ~[?:?]

at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]

... 9 more

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]

... 9 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_121]

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:966) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:963) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_121]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:283) ~[?:?]

at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:353) ~[?:?]

... 9 more

Other installed Elasticsearch or Kibana plugins, if any

–
You received this message because you are subscribed to the Google Groups “Search Guard Community Forum” group.

To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/e581701d-0450-4fd2-88c7-e4373c264001%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

<sg_config.yml><elasticsearch.yml>

Topic		Replies	Views
SSL exception when using the remote reindex API Search Guard	3	1571	November 7, 2017
javax.net.ssl.SSLHandshakeException: General SSLEngine problem Search Guard	0	1933	July 14, 2017
Unable to find valid certification path to requested target Search Guard	3	2063	August 18, 2019
Configuration issue on Prod server Search Guard	3	638	June 13, 2018
SSL Problem General SSLEngine problem during startup Search Guard	3	2530	November 28, 2018

SSLHandshakeException: General SSLEngine problem

Related Topics