Connect ElasticSearch using username,password and ssl certificate .net

Lahav.Harary · July 20, 2022, 2:03pm

Hey,
I'm having a problem connecting Elasticsearch using username,password and p12 certificate.

The certificate was created using the following guide: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.3] | Elastic

I have tried:

sending the p12 certificate as a base64 string - X509Certificate2 object said that the password is incorrect (the password is correct).
converting the p12 to pem and then to base64 - X509Certificate2 was created but sending requests via .net did not work
trying to load the file path (didn't work because the p12 file requires a password).

Here is my code:

X509Certificate2 certificate = new X509Certificate2(
Convert.FromBase64String(certificateString),
certificatePassword, X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
            
var pool = new SingleNodeConnectionPool(new Uri("https://localhost:9200"));
var settings = new ConnectionSettings(pool)
.BasicAuthentication(elasticUserName,elasticPassword)
.DefaultIndex(index)
.CertificateFingerprint(elasticCertificateFingerprint)
.ClientCertificate(certificate);
            
_client = new ElasticClient(settings);

Here is my elasticsearch.yml file:

cluster.name : my-cluster
node.name: node-1
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
  client_authentication: required 
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: optional 
  keystore.path: certs/http.p12
cluster.initial_master_nodes: ["ip-10-0-0-13.eu-west-2.compute.internal"]
http.host: 0.0.0.0
xpack.security.transport.ssl.truststore.password: aaaaaa
xpack.security.http.ssl.truststore.password: aaaaaa

Here is what Elastic is saying when I use the pem certificate:

[2022-07-20T16:56:35,244][WARN ][o.e.h.AbstractHttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9200, remoteAddress=/[0:0:0:0:0:0:0:1]:52745}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:480) ~[netty-codec-4.1.74.Final.jar:4.1.74.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279) ~[netty-codec-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:623) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:586) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496) [netty-transport-4.1.74.Final.jar:4.1.74.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986) [netty-common-4.1.74.Final.jar:4.1.74.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.74.Final.jar:4.1.74.Final]
at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:358) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:314) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:305) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:390) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1264) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:712) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1209) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1548) ~[netty-handler-4.1.74.Final.jar:4.1.74.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1394) ~[netty-handler-4.1.74.Final.jar:4.1.74.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235) ~[netty-handler-4.1.74.Final.jar:4.1.74.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1284) ~[netty-handler-4.1.74.Final.jar:4.1.74.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510) ~[netty-codec-4.1.74.Final.jar:4.1.74.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449) ~[netty-codec-4.1.74.Final.jar:4.1.74.Final]
... 16 more

Yang_Wang · July 21, 2022, 1:09am

There are some oddities in your settings.

Lahav.Harary:

xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
  client_authentication: required 
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: optional 
  keystore.path: certs/http.p12

For HTTP, are you sure you need client_authentication: requried. Most of the time, this is not necessary. If you really need it, most of the time you need configure a trust anchor (with either truststore.path or certificate_authorities), otherwise the incoming certificate is likely to fail verification.

For Transport, it is highly recommended to enable client_authentication: required. On transport layer, mTLS is your only protection for node membership. But to use that, you need configure the trust anchor too, which is documented in the guide.

I am not sure what Java library you are using to connect Elasticsearch. So I cannot comment on that part of code. But I'd highly recommend ES's official java client.

Lahav.Harary · July 21, 2022, 8:36am

Hey Yang_Wang,

I Tried changing the yml file and the guide that u posted.

elasticsearch.yml:

cluster.name : my-cluster
node.name: node-1
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
  enabled: true
  keystore.path: certs/http.p12
  client_authentication: optional 
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  client_authentication: required 
  truststore.path: certs/http.p12
  keystore.path: certs/http.p12
cluster.initial_master_nodes: ["ip-10-0-0-13.eu-west-2.compute.internal"]
http.host: 0.0.0.0
xpack.security.http.ssl.truststore.password: aaaaaa

My code can't open the http.p12 certificate for some reason is tell me that the password is incorrect (I Can open it just fine when I use postman).

Please advice regarding that

Yang_Wang · July 22, 2022, 6:36am

Sorry but I don't know what library you are using for your code. I am also not an expert of arbitrary Java libraries. So I am afraid that I won't be very helpful in this regard.

Lahav.Harary · July 24, 2022, 11:04am

Hello again,
I'm using NEST in C# .NET core

Do you need any more info from me?

system · August 21, 2022, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Connecting to TLS/SSL secured elastic cluster through transport client Elasticsearch elastic-stack-security	11	2453	July 21, 2019
Elasticsearch user creation fails Elasticsearch elastic-stack-security	3	887	April 13, 2022
How configure .p12 certificate in Elasticsearch TLS/SSL? Elasticsearch elastic-stack-security	4	4564	November 26, 2018
Elasticsearch-setup-passwords ssl connection issue Elasticsearch elastic-stack-security	5	5022	February 12, 2019
PKI auth in Elasticsearch - http layer Elasticsearch elastic-stack-security	1	408	June 5, 2020

Connect ElasticSearch using username,password and ssl certificate .net

Related topics