I am running an Elasticsearch 6.1.1 cluster with 9 nodes on Ubuntu 16.04.3 running JVM 9. One node is a dedicated master, two more are master-eligible and data, and the rest are data nodes.
I have setup SSL by following along the Elastic documentation, and added additional settings to my elasticsearch.yml file that ended up being necessary for transport communication to work.
I generated my own CA using certutil and generated all the certs for each server using certutil.
The transport layer works successfully, and the cluster status when looking at the log file (/var/log/elasticsearch/) is green. Everything is successfully communicating.
However, when I attempt to perform any client-operations (such as _curl https://ES-MASTER-01:9300/_), I receive the following error:
curl: (35) gnutls_handshake() failed: Certificate is bad
If I try to hit port 9200 (curl https://ES-MASTER-01:9200), I receive another error:
curl: (51) SSL: certificate subject name (ES-MASTER-01) does not match target host name 'ES-MASTER-01'
This message is even further confusing given that the two explicitly match one another, at least in this output.
I know that Elasticsearch has a requirement of the certificates allowing both serverAuth and clientAuth, which certutil presumably performs.
Verification of the handshake using an OpenSSL command shows failure:
openssl s_client -connect ES-MASTER-01:9300 | openssl x509 -text -noout
depth=1 CN = MyOrganizationES Global CA
verify return:1
depth=0 CN = ES-MASTER-01
verify return:1
140281558685336:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42
140281558685336:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
Certificate: <removed due to character limits>
I have added the CA to each server's key store as well as JVM's (method outlined below).
The required keys are within the Elastic config directory as specified by the documentation (/etc/elasticsearch/x-pack).
My elasticsearch.yml config file on all nodes is similar to such:
xpack.ssl.key: /etc/elasticsearch/x-pack/ES-MASTER-01.key
xpack.ssl.key_passphrase: <passphrase>
xpack.ssl.certificate: /etc/elasticsearch/x-pack/ES-MASTER-01.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca.crt" ]
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.audit.enabled: true
xpack.security.enabled: true
Below is the method in which I used to generate the CA and server keys, and other relevant operations.
# Generate the certificates. This was performed on ES-MASTER-01.
cd /usr/share/elasticsearch
# Generate the CA.
bin/x-pack/certutil ca --ca-dn 'CN=MyOrganizationES Global CA' --pass <pass> --days 3650 --keysize 4096 --out MyOrganizationES_CA.zip --pem
# Copy the ca.key and ca.crt to /usr/share/elasticsearch/ca/
# Generate the instance key pairs. I used a valid YAML file with name, DNS, and IP.
bin/x-pack/certutil cert --ca-cert ca/ca.crt --ca-key ca/ca.key --ca-pass <pass> --days 3650 --in MyOrganizationES_Cluster.yml --keysize 4096 --out MyOrganizationES_Keys.zip --pass <pass> --pem
# Copy the certificate files from the .zip file to corresponding server, as well as the ca.crt.
/etc/elasticsearch/x-pack
# Update the machine's certificate store (all nodes).
# Copy the ca.crt file to this location.
/usr/local/share/ca-certificates
update-ca-certificates --fresh
# Update Java's cacerts store (all nodes).
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias MyOrganizationES -file /usr/local/share/ca-certificates/ca.crt
At this point I believe there to be something with OpenSSL that is not liking the self-signed certificates, but I'm not sure how to further diagnose.
I am also having the issue of Kibana refusing to start with the basic SSL configuration, but I believe that might be a symptom of this larger issue.