Eroor setting up SSL on multi node ES cluster - no cipher suites in common

security

(Santanu Saha) #1

I have Elasticsearch cluster of two nodes (loggerdb2.dev.gep and datanode3.dev.gep). After enabling ssl/tls I am getting following error on elastic search startup.

Stacktrace of datanode3

[2016-07-01 07:16:04,877][WARN ][shield.transport.netty ] [datanode3] exception caught on transport layer [[id: 0xe0f9ff30, loggerdb2.dev.gep/192.111.41.110:44650 => /192.111.41.111:9300]], closing connection
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)

Cooreponding stack trace from loggerdb2
[2016-07-01 09:15:35,211][ERROR][shield.transport.netty ] [loggerdb2] SSL/TLS handshake failed, closing channel: Received fatal alert: handshake_failure
[2016-07-01 09:15:35,226][WARN ][shield.transport.netty ] [loggerdb2] exception caught on transport layer [[id: 0xffeaa7b8, /192.111.40.110:44648 :> datanode3.dev.gep/192.111.40.111:9300]], closing connection
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)

Below mentioned the steps that I followed to setup SSL with self signed certificates

Two nodes datanode3 and loggerdb2.
Setting up certificate authority

mkdir -p ca/private ca/certs ca/conf

cd ca
echo '01' > serial
touch index.txt

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out certs/cacert.pem -days 1460 -config conf/caconfig.cnf

Create a keystore and generate a certificate for the node(datanode3)

keytool -importcert -keystore /etc/elasticsearch/shield/node3.jks -file /root/us67m/keys/ca/certs/cacert.pem

Create a certificate signing request (CSR).

keytool -genkey -alias esnode -keystore esnode.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:loggerdb2.dev.gep,ip:192.111.41.110,dns:datanode3.dev.gep,ip:192.111.41.111

keytool -certreq -alias esnode -keystore esnode.jks -file esnodecsr.csr -keyalg rsa -ext san=dns:loggerdb2.dev.gep,ip:192.111.41.110,dns:datanode3.dev.gep,ip:192.168.41.111

Send the certificate to your CA for signing.

openssl ca -in esnodecsr.csr -notext -out esnode-signed.crt -config conf/caconfig.cnf -extensions v3_req

Add the signed certificate to the node’s keystore.

keytool -importcert -keystore /etc/elasticsearch/shield/node3.jks -file /root/us67m/keys/ca/esnode-signed.crt -alias esnode

For loggerdb2 node I am using the same cacert.pem and esnode-signed.crt generated above
================================For loggerdb2=========================
keytool -importcert -keystore /etc/elasticsearch/shield/loggerdb2.jks -file /root/us67m/keys/ca/certs/cacert.pem
keytool -importcert -keystore /etc/elasticsearch/shield/loggerdb2.jks -file /root/us67m/keys/ca/esnode-signed.crt -alias esnode

Below are my elasticsearch.yml configurations for SSL
loggerdb2 node
#-----------------------------Configuration for SSL ----------------------
shield.ssl.keystore.path: /etc/elasticsearch/shield/loggerdb2.jks
shield.ssl.keystore.password: esnode
shield.transport.ssl: true
shield.transport.http: false
shield.ssl.ciphers: [ "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ]

shield.http.filter.allow: [ "192.111.41.110", "192.111.41.111" ]

#-------------------------------End configuration for SSL -----------------
discovery.zen.ping.unicast.hosts: ["datanode3.dev.gep", "loggerdb2.dev.gep"]
discovery.zen.ping_timeout: 50s
discovery.zen.ping.multicast.enabled: false

datanode3 node. rest are same as loggerdb2

#--------------------------------SSL Configuration----------------
shield.ssl.keystore.path: /etc/elasticsearch/shield/node3.jks
shield.ssl.keystore.password: esnode

Any help will be much appreciated as I am stuck here.


(system) #2