I had a functioning pki realm, and native realm with working certs. I upgraded to 7x from 6x and now suddenly I'm trying to test authentication using the xpac authenticate endpoint and those very same certs that were working before no longer get through. Do I need to recreate these certs from scratch due to some change in 7x? Heres a curl attempt:
I can actually get by with just the client-ca.cer and passing creds via basic auth. So I feel like the ca is still in order. the cert and key were generated from the same p12 file so it makes no sense that suddenly the client.cer is getting rejected. Thank you for your help.
I'd also like to add that, i got a complaint from curl saying openssl cannot support tls 1.3, so I thought maybe its all working and just try the certs with kibana, but kibana is getting it as well:
Request error, retrying
HEAD https://localhost:9200/ => write EPROTO 140523106330432:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46
and the dreaded no living connections:
[20:05:47.953] [warning][admin][elasticsearch] Unable to revive connection: https://localhost:9200/
log [20:05:47.954] [warning][admin][elasticsearch] No living connections
log [20:05:47.958] [warning][admin][elasticsearch] Unable to revive connection: https://localhost:9200/
log [20:05:47.958] [warning][admin][elasticsearch] No living connections
log [20:05:47.959] [warning][task_manager] PollError No Living connections
issue seems to be resolved...I actually dont know why I just kept tinkering with it until the problem went away. The best I can say for others who run into this:
curl/openssl, might not support tls 1.3 based on the errors above, perhaps the certs worked all along, but curl/openssl couldn't show it or use them they only got in with basic auth.
Kibana is using those client certs, same ones that failed with curl/openssl, and its connecting with no basic auth. My guess, is that the latest 7.1 update is using TLS 1.3, curl/openssl cannot so they were being misleading. I tried to force curl to use the TLS 1.3 protocol and it said "openssl was not built to use TLS1.3" or something like that.
One more thing. The responses of curl/openssl led me to believe that I had to use basic auth with Kibana. This was failing because I was trying to replicate what I did with curl, ie, ca-cert and basic auth to get in. But according to documentation:
These files [elasticsearch.ssl.certificate: and elasticsearch.ssl.key] are used to verify
the identity of Kibana to Elasticsearch and are required when xpack.ssl.verification_mode
in Elasticsearch is set to either certificate or full
I think kibana was failing because I removed the cert/key lines from the config and tried to replace the with basic auth. In the end I should have just let kibana use the certs instead of basic auth with the ca-cert. It was probably working but curl/openssl made me think kibana wouldn't work.
TLDR: if TLS 1.3 w/ certs, just because curl/openssl doesnt work, doesn't mean kibana doesn't work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.