Hi,
I try to configure https on my Elasticsearch and I have some trouble to do it.
I start with a pfx certificate provide by my Ops team.
I try to use this type of configuration :
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: E:\example\elasticsearch-7.4.2\config\cert.key
xpack.security.http.ssl.key_passphrase: test
xpack.security.http.ssl.certificate: E:\example\elasticsearch-7.4.2\config\cert.crt
I know I can use :
xpack.security.http.ssl.keystore.type: PKCS12
xpack.security.http.ssl.keystore.path: E:\example\elasticsearch-7.4.2\config\wildcard.recette.corp.lan.pfx
xpack.security.http.ssl.keystore.password: blablablabla
and it's works but for some reasons, I would used the first config.
To do that, I must transform my pfx in 2 files :
Key
openssl pkcs12 -in wildcard.recette.corp.lan.pfx -nocerts -out cert.key
Certificat
openssl pkcs12 -in wildcard.recette.corp.lan.pfx -nokeys -out cert.crt
With this config, I have this error :
Caused by: java.io.IOException: **ObjectIdentifier() -- data isn't an object ID** (tag = 48)
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:253) ~[?:?]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:281) ~[?:?]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_20]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_25]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:?]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[?:?]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:?]
After a little Google search, I find this
So, I try the pkcs8 solution :
openssl pkcs8 -topk8 -v1 PBE-SHA1-RC4-128 -in cert.key -out cert8.key
The Elasticsearch Server now start !
.... but failed to start an https channel
java.lang.IllegalArgumentException: did not find an SSLContext for [SSLConfiguration{keyConfig=[keyPath=[E:\example\elasticsearch
-7.4.2\config\cert8.key], certPaths=[E:\example\elasticsearch-7.4.2\config\cert.crt]], trustConfig=Combining Trust Config{JDK tru
sted certs, keyPath=[E:\example\elasticsearch-7.4.2\config\cert8.key], certPaths=[E:\example\elasticsearch-7.4.2\confi
g\cert.crt]}], cipherSuites=[[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_C
BC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_
WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES
_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA]], supportedProtocols=[[TLSv1.2, TLSv1.1]], sslClientAuth=[NONE], verificationMode=[FULL]}]
at org.elasticsearch.xpack.core.ssl.SSLService.sslContextHolder(SSLService.java:306) ~[x-pack-core-7.4.2.jar:7.4.2]
at org.elasticsearch.xpack.core.ssl.SSLService.sslContext(SSLService.java:294) ~[x-pack-core-7.4.2.jar:7.4.2]
at org.elasticsearch.xpack.core.ssl.SSLService.createSSLEngine(SSLService.java:250) ~[x-pack-core-7.4.2.jar:7.4.2]
at org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4HttpServerTransport$HttpSslChannelHandler.initChannel...
I don't really understand this error and so, I don't know how to resolve it.
I try with
openssl pkcs12 -in wildcard.recette.corp.lan.pfx -nocerts -out cert.key -nodes
and it's work but I want a passphrase on my private key.
Any ideas?
Info :
Windows Server 2012 R2
Java Oracle jdk 1.8.0_25
Elasticsearch 7.4.2
Regards,
Mike