I’m trying to make clientcert auth work.
I switched on debugging, and all the client gets is a 403 and the logfile says:
Try to extract auth creds from http clientcert
I’m using a test cluster with the certs generated by example scripts.
Here’s the client command:
curl --cacert /etc/searchguard/example-pki-scripts/ca/chain-ca.pem -E /etc/searchguard/example-pki-scripts/kirk.all.pem https://node-1.example.com:9200/
Basic Auth for user kirk works fine.
Any idea where to start looking?
Please try to set the http client auth mode to OPTIONAL in elasticsearch.yml:
searchguard.ssl.http.clientauth_mode: OPTIONAL
···
Am Mittwoch, 18. Januar 2017 15:38:14 UTC+1 schrieb Fabien Wernli:
I’m trying to make clientcert auth work.
I switched on debugging, and all the client gets is a 403 and the logfile says:
Try to extract auth creds from http clientcert
I’m using a test cluster with the certs generated by example scripts.
Here’s the client command:
curl --cacert /etc/searchguard/example-pki-scripts/ca/chain-ca.pem -E /etc/searchguard/example-pki-scripts/kirk.all.pem [https://node-1.example.com:9200/](https://node-1.example.com:9200/)
Basic Auth for user kirk works fine.
Any idea where to start looking?
Thanks Jochen!
It didn’t work, but then I tried using REQUIRE, and guess what popped up in the logs:
ElasticsearchException[searchguard.ssl.http.truststore_filepath must be set if http ssl and client auth is reqested.]
That was it: I didn’t set up the truststore on http (only did it for transport).
Now it works, kudos!