Unable to CURL elasticsearch after search-guard initialization

DETAIL ERRROR:
command: curl --cacert “/path/root-ca.pem” XGET “https://<IP_Address:9300/_cluster/_health?pretty>” or curl -k XGET “https://<IP_Address:9300/_cluster/_health?pretty>”
error: you are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert

I’m using ElasticSearch-2.3.4, and configured the following in one machine which I used same binaries but have different config files:

1. elasticsearch_master (A Master Node) (/etc/elasticsearch_master) {node.master=true, node.data=false}
2. elasticsearch_data (A Data Node) (/etc/elasticsearch_data) {node.master=false, node.data=true}
3. elasticsearch_search (A Search Node) (/etc/elasticsearch_search) [Search Load Balancer] {node.master=false, node.data=false}
4. logstash-2.3.4
5. Kibana4

and the binaries are installed in /usr/share/elasticsearch/

Cluster Name: elasticsearch,
I’m using aws for discovering the network host, so can’t provide either specific hostname or either set localhost. Of course, we can do that, but that doesn’t make sense for my research in later stages. So going with AWS discovery.

I installed plugin for search-guard-ssl, configured OPENSSL according to documentation

I pulled the search-guard-ssl git and used example.sh script to generate the certificates, however I customized the script to generate certs for the specific IP (172.16.189.16, replacing 127.0.0.1) of the machine just for one node. Everything went well.
I configured “node-0-keystore.jks” and “truststore.jks” in the elasticsearch.yml for all the nodes for both transport and https/REST, disabled hostname verification for better reasons. I bounced the nodes and all the nodes joined in the cluster. So far went well. I configured generated “root-ca.pem” for logstash and kibana and were able to access the logs in secured layer (TLSv1.2) without an issue.

searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: JKS
searchguard.ssl.transport.keystore_filepath: node-0-keystore.jks
searchguard.ssl.transport.keystore_password: changeit
searchguard.ssl.transport.truststore_filepath: truststore.jks
searchguard.ssl.transport.truststore_password: changeit
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enable_openssl_if_available: true
searchguard.ssl.transport.enable_openssl_if_available: true
searchguard.ssl.transport.enabled_protocols:

• “TLSv1.2”

searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_type: JKS
searchguard.ssl.http.keystore_filepath: node-0-keystore.jks
searchguard.ssl.http.keystore_password: changeit
searchguard.ssl.http.truststore_filepath: truststore.jks
searchguard.ssl.http.truststore_password: changeit
searchguard.ssl.http.enforce_hostname_verification: false
searchguard.ssl.http.resolve_hostname: false
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.http.enable_openssl_if_available: true
searchguard.ssl.http.enabled_protocols:

• “TLSv1.2”

When I did curl to check the cluster health or verify indices, I was able to get the json data, I used again root-ca.pem while doing curl. SUCCESS
curl --cacert “/path/root-ca.pem” XGET “https://<IP_Address:9300/_cluster/_health?pretty>”

Then I installed search-guard-2 plugin presuming SSL part is successful.

Updated elasticsearch.yml config for all the nodes:

searchguard.authcz.admin_dn:

• “CN=admin,OU=client,O=client,l=tEst, C=De”

chmod g+x /usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh
chmod g+x /usr/share/elasticsearch/plugins/search-guard-2/tools/hash.sh

/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -h 172.16.189.16 -p 9300 -ks “/path to my node’s keystore file(node-0-keystore.jks)” -ts “/path to my truststore file(truststore.jks)” /
-kspass changeit -tspass changeit -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig -cn elasticsearch -sniff -nhnv

Elastic search listening:

Master:
172.16.189.16:9200 172.16.189.16:9300
Data:
172.16.189.16:9201 172.16.189.16:9301
Search
172.16.189.16:9202 172.16.189.16:9302

Kibana.yml:
elasticsearch.url: “https://172.16.189.16:9202”

All the config files are updated without error and I believed Search-Guard-2 is initiated successfully. When I tried to access the log files using kibana GUI, I have authorization error. I wanted to use sg_internal_users for authentication and authorization of elasticsearch indices. But before doing that, I tried to check cluster health just like before using curl.
Now, I’m getting the error which I mentioned in the start of this post. I’m confused and literally stuck for hours. The .pem files either which was used earlier (root-ca.pem) or node-0-signed.pem is not useful now.

Logstash output config:

output {
elasticsearch {
user => logstash
password => logstash
hosts => “https://172.16.189.16:9200”
index => “%{index_name}-%{+YYYY.MM.dd}”
cacert => “/path/root-ca.pem”
ssl => true
ssl_verification_check => true
}

Logstash is throwing 403 unauthorized error

CURL Errors: (After Search-Guard-2 Initialization)

curl --cacert “/path/root-ca.pem” XGET “https://<IP_Address:9300/_cluster/_health?pretty>”
curl 35: you are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert

OR

curl --cacert “/path/node-0-signed.pem” XGET “https://<IP_Address:9300/_cluster/_health?pretty>”
curl 35: you are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert

OR

curl --cacert -user logstash[:logstash] “/path/node-0-signed.pem” XGET “https://<IP_Address:9300/_cluster/_health?pretty>”
curl 35: you are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert

OR

curl -k XGET “https://<IP_Address:9300/_cluster/_health?pretty>” (IGNORING the SECURE CHECK)
curl 35: you are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert

I’m not sure where exactly I did the mistake or have no idea what to do proceed further. I’m very new to SSL and Search-Guard, Sorry for the long post, I’m trying to be as much as detail to let know my problem here. ANY HELP??

/usr/share/elasticsearch/plugins/search-guard-2/tools/sgadmin.sh -h IP_Address -p 9301 -ks /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/node-0-keystore.jks -ts /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/truststore.jks -kspass changeit -tspass changeit -cd /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/ -cn vgt_elk -sniff -nhnv

9301: data node listening

Update:

when I tried using /usr/share/elasticsearch/plugins/search-guard-2/sgconfig/node-0-keystore.jks it worked. I’m confused here, my question is which keystore has to be used? Is it node-0-keystore.jks (created for elasticsearch nodes) or the client keystore?

my ES-yml has:

searchguard.authcz.admin_dn:

• “cn=kirk,OU=client,O=client,L=Test,C=DE”

and also it worked for

searchguard.authcz.admin_dn:

• “cn=admin,OU=client,O=client,L=Test,C=DE”

But its failing when I used kirk-keystore.jks as keystore? Any insights here please?

Are your keystores/truststores paired correctly? That is, you are using the truststore.jks that was used to sign your keystore.jks file?

If you just regenerate ALL your certs/keys/pems/jks files, and use the newly-generated ones, what happens?