Try to connect with a ssl node certificate instead of an admin client certificate

Search Guard
1

Hi,
I’ve just upgraded my ES from 5.5 to 5.6.2 but when I’m trying to launch sgadmin I’ve got this error:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate
This may have worked in previous versions of Search Guard but is now forbidden
For more informations look here: https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md#configuring-the-admin-certificate

``

I’ve generated all the certificates from the certificate generator webpage

cat /etc/elasticsearch/elasticsearch.yml

cluster.name: quicollectdev

node.name: qcmidev.inetworking.it

network.host: localhost

bootstrap.memory_lock: true

node.master: 1

node.data: 1

transport.tcp.port: 9300

http.port: 9200

discovery.zen.ping.unicast.hosts: [“192.168..”]

searchguard.ssl.transport.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.transport.keystore_password: password-generated

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: password-generated

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: password-generated

searchguard.ssl.http.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.http.keystore_password: password-generated

searchguard.authcz.admin_dn:

  • CN=sgadmin

``

this is the diagnose Diagnostic sgadmin traceES client version: 5.6.2Client properties: {java.run - Pastebin.com

I’ve placed the sgadmin-keystore and the truststore in plugins/search-guard-5/tools path:

[root@qcmidev tools]# pwd

/usr/share/elasticsearch/plugins/search-guard-5/tools

[root@qcmidev tools]# ll

total 576

-rw-r–r-- 1 elasticsearch elasticsearch 4060 4 ott 15.59 CN=sgadmin-keystore.jks

-rw-r–r-- 1 root root 214 4 ott 11.43 hash.bat

-rwxr-xr-x 1 root root 373 4 ott 11.43 hash.sh

-rwxr-xr-x 1 root root 18449 4 ott 11.43 install_demo_configuration.sh

-rw-r–r-- 1 root root 282 4 ott 11.43 sgadmin.bat

-rw-r–r-- 1 root root 542883 4 ott 16.21 sgadmin_diag_trace_2017-Oct-04_16-21-25.txt

-rwxr-xr-x 1 root root 414 4 ott 11.43 sgadmin.sh

-rw-r–r-- 1 elasticsearch elasticsearch 972 4 ott 15.59 truststore.jks

``

I’ve searched for a solution around but nothing. Any help is really appreciated

2

how do you call sgadmin.sh? pls. post the full command.

···

On Wednesday, 4 October 2017 16:46:30 UTC+2, mirko spezie wrote:

Hi,
I’ve just upgraded my ES from 5.5 to 5.6.2 but when I’m trying to launch sgadmin I’ve got this error:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate
This may have worked in previous versions of Search Guard but is now forbidden
For more informations look here: https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md#configuring-the-admin-certificate

``

I’ve generated all the certificates from the certificate generator webpage

cat /etc/elasticsearch/elasticsearch.yml

cluster.name: quicollectdev

node.name: qcmidev.inetworking.it

network.host: localhost

bootstrap.memory_lock: true

node.master: 1

node.data: 1

transport.tcp.port: 9300

http.port: 9200

discovery.zen.ping.unicast.hosts: [“192.168..”]

searchguard.ssl.transport.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.transport.keystore_password: password-generated

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: password-generated

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: password-generated

searchguard.ssl.http.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.http.keystore_password: password-generated

searchguard.authcz.admin_dn:

  • CN=sgadmin

``

this is the diagnose https://pastebin.com/90ukyZK6

I’ve placed the sgadmin-keystore and the truststore in plugins/search-guard-5/tools path:

[root@qcmidev tools]# pwd

/usr/share/elasticsearch/plugins/search-guard-5/tools

[root@qcmidev tools]# ll

total 576

-rw-r–r-- 1 elasticsearch elasticsearch 4060 4 ott 15.59 CN=sgadmin-keystore.jks

-rw-r–r-- 1 root root 214 4 ott 11.43 hash.bat

-rwxr-xr-x 1 root root 373 4 ott 11.43 hash.sh

-rwxr-xr-x 1 root root 18449 4 ott 11.43 install_demo_configuration.sh

-rw-r–r-- 1 root root 282 4 ott 11.43 sgadmin.bat

-rw-r–r-- 1 root root 542883 4 ott 16.21 sgadmin_diag_trace_2017-Oct-04_16-21-25.txt

-rwxr-xr-x 1 root root 414 4 ott 11.43 sgadmin.sh

-rw-r–r-- 1 elasticsearch elasticsearch 972 4 ott 15.59 truststore.jks

``

I’ve searched for a solution around but nothing. Any help is really appreciated

3

pwd

/usr/share/elasticsearch/plugins/search-guard-5/tools

sgadmin.sh -ts truststore.jks -tspass ************** -ks sgadmin-keystore.jks -kspass *************** -nhnv -icl -cd …/sgconfig/

``

···

On Wednesday, October 4, 2017 at 5:19:40 PM UTC+2, Search Guard wrote:

how do you call sgadmin.sh? pls. post the full command.

On Wednesday, 4 October 2017 16:46:30 UTC+2, mirko spezie wrote:

Hi,
I’ve just upgraded my ES from 5.5 to 5.6.2 but when I’m trying to launch sgadmin I’ve got this error:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate
This may have worked in previous versions of Search Guard but is now forbidden
For more informations look here: https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md#configuring-the-admin-certificate

``

I’ve generated all the certificates from the certificate generator webpage

cat /etc/elasticsearch/elasticsearch.yml

cluster.name: quicollectdev

node.name: qcmidev.inetworking.it

network.host: localhost

bootstrap.memory_lock: true

node.master: 1

node.data: 1

transport.tcp.port: 9300

http.port: 9200

discovery.zen.ping.unicast.hosts: [“192.168..”]

searchguard.ssl.transport.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.transport.keystore_password: password-generated

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: password-generated

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: password-generated

searchguard.ssl.http.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.http.keystore_password: password-generated

searchguard.authcz.admin_dn:

  • CN=sgadmin

``

this is the diagnose https://pastebin.com/90ukyZK6

I’ve placed the sgadmin-keystore and the truststore in plugins/search-guard-5/tools path:

[root@qcmidev tools]# pwd

/usr/share/elasticsearch/plugins/search-guard-5/tools

[root@qcmidev tools]# ll

total 576

-rw-r–r-- 1 elasticsearch elasticsearch 4060 4 ott 15.59 CN=sgadmin-keystore.jks

-rw-r–r-- 1 root root 214 4 ott 11.43 hash.bat

-rwxr-xr-x 1 root root 373 4 ott 11.43 hash.sh

-rwxr-xr-x 1 root root 18449 4 ott 11.43 install_demo_configuration.sh

-rw-r–r-- 1 root root 282 4 ott 11.43 sgadmin.bat

-rw-r–r-- 1 root root 542883 4 ott 16.21 sgadmin_diag_trace_2017-Oct-04_16-21-25.txt

-rwxr-xr-x 1 root root 414 4 ott 11.43 sgadmin.sh

-rw-r–r-- 1 elasticsearch elasticsearch 972 4 ott 15.59 truststore.jks

``

I’ve searched for a solution around but nothing. Any help is really appreciated

4

It should more look like

sgadmin.sh -ts truststore.jks -tspass ************** -ks "CN=sgadmin-keystore.jks" -kspass *************** -nhnv -icl -cd ../sgconfig/

···

Am 05.10.2017 um 12:10 schrieb mirko spezie <porc1978@gmail.com>:

# pwd
/usr/share/elasticsearch/plugins/search-guard-5/tools

# sgadmin.sh -ts truststore.jks -tspass ************** -ks sgadmin-keystore.jks -kspass *************** -nhnv -icl -cd ../sgconfig/

On Wednesday, October 4, 2017 at 5:19:40 PM UTC+2, Search Guard wrote:
how do you call sgadmin.sh? pls. post the full command.

On Wednesday, 4 October 2017 16:46:30 UTC+2, mirko spezie wrote:
Hi,
I've just upgraded my ES from 5.5 to 5.6.2 but when I'm trying to launch sgadmin I've got this error:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate
This may have worked in previous versions of Search Guard but is now forbidden
For more informations look here: https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md#configuring-the-admin-certificate

I've generated all the certificates from the certificate generator webpage

# cat /etc/elasticsearch/elasticsearch.yml

cluster.name: quicollectdev
node.name: qcmidev.inetworking.it
network.host: localhost
bootstrap.memory_lock: true
node.master: 1
node.data: 1
transport.tcp.port: 9300
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.*.*"]
searchguard.ssl.transport.enable_openssl_if_available: false
searchguard.ssl.transport.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks
searchguard.ssl.transport.keystore_password: password-generated
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: password-generated
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.http.enabled: false
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: password-generated
searchguard.ssl.http.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks
searchguard.ssl.http.keystore_password: password-generated

searchguard.authcz.admin_dn:
  - CN=sgadmin

this is the diagnose Diagnostic sgadmin traceES client version: 5.6.2Client properties: {java.run - Pastebin.com

I've placed the sgadmin-keystore and the truststore in plugins/search-guard-5/tools path:

[root@qcmidev tools]# pwd
/usr/share/elasticsearch/plugins/search-guard-5/tools
[root@qcmidev tools]# ll
total 576
-rw-r--r-- 1 elasticsearch elasticsearch 4060 4 ott 15.59 CN=sgadmin-keystore.jks
-rw-r--r-- 1 root root 214 4 ott 11.43 hash.bat
-rwxr-xr-x 1 root root 373 4 ott 11.43 hash.sh
-rwxr-xr-x 1 root root 18449 4 ott 11.43 install_demo_configuration.sh
-rw-r--r-- 1 root root 282 4 ott 11.43 sgadmin.bat
-rw-r--r-- 1 root root 542883 4 ott 16.21 sgadmin_diag_trace_2017-Oct-04_16-21-25.txt
-rwxr-xr-x 1 root root 414 4 ott 11.43 sgadmin.sh
-rw-r--r-- 1 elasticsearch elasticsearch 972 4 ott 15.59 truststore.jks

I've searched for a solution around but nothing. Any help is really appreciated

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9601d647-dc5c-45a3-8dc7-9934c2e971d7%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.