Failed to authenticate user with OpenID Connect in trial version of elasticsearch

viveknagar · April 9, 2020, 2:45pm

Hello All,
I am using elasticsearch 7.5.2 and kbana 7.5.2 with this i am using keyclock as OP . I have enabled trial version for 30 to run single-sign-on on elasticsearch . But I am getting below error in elasticsearch.

Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to exchange code for Id Token using the Token Endpoint.]; nested: SSLHandshakeException[General SSLEngine problem]; nested: SSLHandshakeException[General SSLEngine problem]; nested: ValidatorException[PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; nested: SunCertPathBuilderException[unable to find valid certification path to requested target] ; )

Can anyone suggest me where I am making mistake.
Below is my elasticsearch.yml and kibana.yml

Elasticsearch.yml :
##======================== Elasticsearch Configuration =========================

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /home/ist/elasticsearch-7.5.2/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /home/ist/elasticsearch-7.5.2/config/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /home/ist/elasticsearch-7.5.2/config/elastic-stack-ca.p12
xpack.security.http.ssl.truststore.path: /home/ist/elasticsearch-7.5.2/config/elastic-stack-ca.p12
xpack.http.ssl.truststore.password: elastic

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
order: 2
rp.client_id: "kibana-sso"
rp.response_type: code
rp.redirect_uri: "http://localhost:5601/api/security/v1/oidc"
op.issuer: "https://127.0.0.1:8443/auth/realms/oidc1"
op.authorization_endpoint: "https://127.0.0.1:8443/auth/realms/oidc1/protocol/openid-connect/auth"
op.token_endpoint: "https://127.0.0.1:8443/auth/realms/oidc1/protocol/openid-connect/token"
op.jwkset_path: "/home/ist/elasticsearch-7.5.2/config/key.json"
op.endsession_endpoint: "https://127.0.0.1:8443/auth/realms/oidc1/protocol/openid-connect/logout"
rp.post_logout_redirect_uri: "https://127.0.0.1:8443/auth/realms/oidc1/protocol/openid-connect/logout"
claims.principal: preferred_username
claims.groups: "https://127.0.0.1:8443/auth/realms/oidc1/.well-known/openid-configuration"

kibana.yml

elasticsearch.hosts: ["https://localhost:9200"]

elasticsearch.username: "elastic"
elasticsearch.password: "elastic"
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: true
xpack.security.authc.providers: [oidc]
xpack.security.authc.oidc.realm: "oidc1"
server.xsrf.whitelist: [/api/security/v1/oidc]

Please suggest me where am i making mistakes.
Thanks in advance

ikakavas · April 9, 2020, 3:07pm

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

ikakavas · April 9, 2020, 3:11pm

The error is printed in the logs, albeit not very user friendly ( Java SSL exception messages leave a lot to be desired ) .

Failed to exchange code for Id Token using the Token Endpoint.]; nested: SSLHandshakeException[General SSLEngine problem]; nested: SSLHandshakeException[General SSLEngine problem]; nested: ValidatorException[PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]; nested: SunCertPathBuilderException[unable to find valid certification path to requested target] ; )

Elasticsearch tries to communicate with your Keycloack instance and it fails because it doesn't trust the certificate that keycloack is using . We cover this case and the configuration you need to set in our docs

viveknagar · April 10, 2020, 6:39am

I have also tried that config you suggested but the problem is still same

ssl.certificate_authorities: "/home/ist/elasticsearch-7.5.2/config/root.crt"

ikakavas · April 10, 2020, 7:15am

Where did you add this and what is the root.crt certificate ? The more information you add in your responses, the easier will be for folks to assist you ! Can you share the whole realm configuration ? Did you restart elasticsearch after adding this ? Is the error exactly the same again ?

system · May 8, 2020, 7:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.