Client unable to trust server certificate

brb44 · March 12, 2020, 7:37pm

Hi,
I'm getting below error when I tried to enabling transport ssl.

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:238) ~[?:?] at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:145) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:274) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?] at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970) ~[?:?] at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]

client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:41990, remoteAddress=/10.x.x.x:9300

Config file: elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elastic2.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elastic2.cer
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/chain.cer" ]

Commands used to generate the certificate:
elasticsearch-certutil csr -in config/instance.yml

I signed the certificates using origanisation CA.

Please help me in getting this issue resolved.

rugenl · March 12, 2020, 7:43pm

Is the elastic2.cer a single certificate? We cdhanged that to a PCKS#7 "bundle" that contains the cert and CA chain.

See this Elasticsearch X-Pack valid ssl certificate not trusted by client because ca chain not provided by server. · Issue #31725 · elastic/elasticsearch · GitHub

brb44 · March 12, 2020, 7:49pm

Hi @rugenl yes it is a single certificate and I used our org CA in certificate authorities. first I generated the certificates using certutil and signed them and place them on other two nodes. first I though the java keystore is not trusting the ca and tried adding to the keystore. still after trying various getting the same error.

rugenl · March 12, 2020, 8:00pm

A work around is to specify the ca chain in the client.

See the bottom page of the github issue, the 2nd from the last post.

brb44 · March 12, 2020, 10:05pm

I tried changing the certificate to pkcs#7. I'm getting below error.
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:238) ~[?:?] at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:145) ~[?:?] at sun.security.validator.Validator.validate(Validator.java:274) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?] at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970) ~[?:?] at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?] at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_202] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final] ... 15 more
Any views?

system · April 9, 2020, 10:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.