CURL CONNECT SSL WITH CERTIFICATE OF SHA256 get error

Elastic Stack Elasticsearch
1

hay
i got a new elk server but CA stuff built the certificate with "Signature Algorithm: sha256WithRSAEncryption"

when i execute the command :
curl -u elastic --cacert /etc/elasticsearch/crt/ca.crt -XGET "https://devlnxxxxxxx.xxx.local:9200/_cat/indices?pretty&s=index"

the response is :
curl: (35) SSL received a record that exceeded the maximum permissible length

i tried to execute with --cipher and i got time out

curl -u elastic --ciphers dhe_rsa_aes_256_cbc_sha_256 --cacert /etc/elasticsearch/crt/ca.crt -XGET "https://devlnxxxxxxx.xxx.local:9200/_cat/indices?pretty&s=index"

curl: (28) Operation timed out after 300426 milliseconds with 0 out of 0 bytes received

the output of openssl on this certificate start like this :

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
4e:89:2d:29:5b:63:32:ab:41:27:6f:1e:48:f5:48:6b
Signature Algorithm: sha256WithRSAEncryption

my curl version is

curl --version
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

elasticsearch version is 7.2

how can i run the command with the accurate parameters ?

thks alot

2

Is your Elasticsearch node really running TLS on the HTTP port?
What does your elasticsearch.yml look like?

3

we just replace the cerficate from sha256 to sha1
and its work
thnks

4

For anyone reading this in the future, don’t use sha1 certificates. If you have issues with certs and TLS request assistance from your sysadmins or a colleague or here but DO NOT use sha1 certificate. They have been dead and rightly so, for years.

5

This appears to be a curl problem, not an Elasticsearch problem - your curl version cannot handle modern certificates.

You are using curl 7.29 which is more than 6 years old. You really should fix that.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.