Now, if I try to authenticate, I'm getting the following error:
[WARN ][o.e.x.s.a.AuthenticationService] [server.name] Authentication to realm active_directory failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ad3.foo.bar.local:636: IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'ad3.foo.bar.local:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))
What am I missing? I've found a few articles with similar error, but they seem to be related either to Shield which I don't have or some Java exception which I cannot really understand in order to properly troubleshoot. Help out, please.
settings in your elasticsearch.yml file that would apply to the LDAP ssl settings ( if not overriden in the LDAP realm ssl settings explicitly ) in 6.7.0 but this is no longer the case in 7,0.0
The cert appears to be exactly the same as the one I used in 6.7.1. If I launch the 6.7.1 right now, it works perfectly fine with the cert, so this makes me scratch my head about how the cert itself can be an issue, to be honest. However I'm not really good at this SSL/TLS wizardry.
As you can see, the certs are identical between 6.7 and 7.0.
Maybe file permissions need to be different in 7.0?
$ ls -al elasticsearch-6.7.1/config/cacert.pem
-rw-rw-r-- 1 user user 2687 Apr 8 15:00 elasticsearch-6.7.1/config/cacert.pem
$ ls -al elasticsearch-7.0.0/config/cacert.pem
-rw-rw-r-- 1 user user 2687 Apr 25 11:26 elasticsearch-7.0.0/config/cacert.pem
Additionally, since comparison between certs in 6.7 and 7.0 isn't what you asked for, if I run diff between current cert stored on AD and the cacert.pem that I already have, it returns no differences:
Thanks for the verification Albert, it does look like there shouldn't be an issue with the CA certificate.
Another thing we did change in 7.0 is the deprecation of TLSv1.0 as a default supported version and the introduction of TLSv1.3 in the list of the default supported versions so I'm wondering if your AD Controller dislikes TLSv1.3.
Can you please add
supported_protocols: TLSv1.2, TLSv1.1
under ssl: in your config and see if this fixes your issue?
Which section should it be under? xpack.security.transport.ssl or xpack.security.authc.realms.active_directory.active_directory.ssl? I've just tried both to no avail.
Under xpack.security.authc.realms.active_directory.active_directory.ssl:
It should be under xpack.security.authc.realms.active_directory.active_directory.ssl: and my suggestion was actually wrong, this is a list setting so the correct format for it should be
OK, it actually was TLSv1 (that's right, just v1) that I had to add to the list against xpack.security.authc.realms.active_directory.active_directory.ssl.supported_protocols. This is the xpack config that work for me now:
I'll talk to the AD team about this, but it'll certainly take a while before they add support of higher TLS versions. For now, I'll just have to live with TLSv1.
If I can make a suggestion, maybe the TLS issue for external authentication is something that's worth mentioning in Configuring AD realm in 7.0? There's a bit on TLSv1.0 in TLS version 1.0 is disabled in "Breaking changes 7.0", but because of the example in there (http), it doesn't emphasise that the change affects everything that has anything to do TLSv1.0, therefore perhaps it would be benefitial to have something about it in Configuring AD realm in 7.0.
Thanks for the suggestion Albert, I'll see what we can do to make this clearer. As a data point, would you be able to share what version is your Windows Server ?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.