Elasticsearch 7.4.2 : Problem with SSL configuration

Elastic Stack Elasticsearch
1

Hi,

I try to configure https on my Elasticsearch and I have some trouble to do it.

I start with a pfx certificate provide by my Ops team.
I try to use this type of configuration :

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: E:\example\elasticsearch-7.4.2\config\cert.key
xpack.security.http.ssl.key_passphrase: test
xpack.security.http.ssl.certificate: E:\example\elasticsearch-7.4.2\config\cert.crt

I know I can use :

xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: E:\example\elasticsearch-7.4.2\config\wildcard.recette.corp.lan.pfx
xpack.security.http.ssl.keystore.password: blablablabla

and it's works but for some reasons, I would used the first config.

To do that, I must transform my pfx in 2 files :
Key

openssl pkcs12 -in wildcard.recette.corp.lan.pfx -nocerts -out cert.key

Certificat

openssl pkcs12 -in wildcard.recette.corp.lan.pfx -nokeys -out cert.crt

With this config, I have this error :

Caused by: java.io.IOException: **ObjectIdentifier() -- data isn't an object ID** (tag = 48)
         at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) ~[?:?]
         at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) ~[?:?]
         at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_20]
         at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_25]
         at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:?]
         at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[?:?]
         at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:?]

After a little Google search, I find this
So, I try the pkcs8 solution :

openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in cert.key -out cert8.key

The Elasticsearch Server now start !
.... but failed to start an https channel

java.lang.IllegalArgumentException: did not find an SSLContext for [SSLConfiguration{keyConfig=[keyPath=[E:\example\elasticsearch
-7.4.2\config\cert8.key], certPaths=[E:\example\elasticsearch-7.4.2\config\cert.crt]], trustConfig=Combining Trust Config{JDK tru
sted certs, keyPath=[E:\example\elasticsearch-7.4.2\config\cert8.key], certPaths=[E:\example\elasticsearch-7.4.2\confi
g\cert.crt]}], cipherSuites=[[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_C
BC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_
WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES
_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA]], supportedProtocols=[[TLSv1.2, TLSv1.1]], sslClientAuth=[NONE], verificationMode=[FULL]}]
        at org.elasticsearch.xpack.core.ssl.SSLService.sslContextHolder(SSLService.java:306) ~[x-pack-core-7.4.2.jar:7.4.2]
        at org.elasticsearch.xpack.core.ssl.SSLService.sslContext(SSLService.java:294) ~[x-pack-core-7.4.2.jar:7.4.2]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSSLEngine(SSLService.java:250) ~[x-pack-core-7.4.2.jar:7.4.2]
        at org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4HttpServerTransport$HttpSslChannelHandler.initChannel...

I don't really understand this error and so, I don't know how to resolve it.

I try with

openssl pkcs12 -in wildcard.recette.corp.lan.pfx -nocerts -out cert.key -nodes

and it's work but I want a passphrase on my private key.

Any ideas?

Info :
Windows Server 2012 R2
Java Oracle jdk 1.8.0_25
Elasticsearch 7.4.2

Regards,
Mike

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.