ECE - Certificate chain was invalid

Hi all,

I am getting this error message when uploading my proxy certificate into ECE:
Certificate chain was invalid [Invalid Entry: expected X.509 Certificate
As I don't have certificates, I am unable to log into Kibana and Elasticsearch.

I am using openssl to generate a self signed certificate which has multiple wildcard common names.

  1. Created ssl.conf file with the default common name + alt names
  2. openssl genrsa -out private.key 4096
  3. openssl req -new -sha256 -out private.csr -key private.key -config ssl.conf
  4. openssl x509 -signkey private.key -in private.csr -req -days 365 -out private.crt

ssl.conf file

[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = AE
countryName_default = AE
stateOrProvinceName = Dubai
stateOrProvinceName_default = Dubai
localityName = Dubai
localityName_default = Dubai
organizationName = CompanyName
organizationName_default = CompanyName
commonName = *.text.example.com
commonName_max = 64
commonName_default = *.text.example.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.text.example.com
DNS.2 = *.text1.example.com
DNS.3 = *.text2.example.com

Any help is greatly appreciated.
Thank you,
Nhung

Are the suggestions in this topic of any use?

Hi @Alex_Piggott,

Thanks for this! It was helpful.

When i run, openssl x509 -subject -issuer -noout -in /etc/ece/private.csr, I get the following:

unable to load certificate
140619479984016:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

Also, when I run,
openssl x509 -noout -modulus -in /etc/ece/private.crt | openssl sha256 and openssl rsa -noout -modulus -in /etc/ece/private.key| openssl sha256, I get two different outputs - indicating a key mismatch.

I was wondering in the steps I did, where did I go wrong? I used the private key generated to create the subsequent certificates. If I were to create new certificates, will this override the old ones? How can I ensure when I generate the new certificates, it will be fine?

Thanks,
Nhung

I got pretty frustrated with this process myself and opt'd to just put nginx in front of ECE essentially terminating my SSL certs and proxying connection into ECE.

Now i have a lets encrypt wildcard being terminated by nginx and continue to use the self signed ECE provided certs.

From your OP, it looks like you your steps are slightly different to out steps here: https://www.elastic.co/guide/en/cloud-enterprise/current/ece-manage-certificates.html#ece-tls-generate

  1. Generate a certificate authority (CA) RSA key pair.
  2. Create a self-signed CA certificate.
  3. Generate a server RSA key pair.
  4. Create a certificate signing request (CSR) for server certificate with the common name and the alternative name set.
  5. Sign the server CSR with CA key pair.
  6. Concatenate the PEM encode server RSA private key, the server certificate, and the CA certificate into a single file.

Vs your:

  1. Created ssl.conf file with the default common name + alt names
  2. openssl genrsa -out private.key 4096
  3. openssl req -new -sha256 -out private.csr -key private.key -config ssl.conf
  4. openssl x509 -signkey private.key -in private.csr -req -days 365 -out private.crt

Your steps 2 and 3 are our steps 3 and 4, and then you sign the CSR with the key from your step 2 (not the CA cert from our steps 1/2)?

The alternative suggestion of using nginx or haproxy can also work well (since you need a load balancer anyway, so might as well use a tool that also is designed to handle the horrors of SSL certificate more robustly!)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.