Fscrawler is failed to connect to ES with HTTPS enabled

I have configured the Kibana being connected to ES 7.3.0 with HTTPS enabled. But I got this error "java.io.IOException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=Elastic Certificate Tool Autogenerated CA)"

Actually I encountered the same issue in Kibana and then I set this in the kibana.yml and it worked: elasticsearch.ssl.verificationMode: certificate

I did not find the corresponding setting in fscrawler: https://fscrawler.readthedocs.io/en/latest/admin/fs/elasticsearch.html#ssl-configuration

Any one managed to do that?

Thanks

Insteda of configuring FSCrawler you can generate certificates with the applicable names.

Based on the error shown above, you would want to add --dns localhost to the commandline when you run elasticsearch-certutil cert

Thanks Tim,

Here is the command I used:
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns localhost --ip 127.0.0.1,::1 --name node-sni --out node-sni.p12

Here are the steps:

sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert  --ca /etc/elasticsearch/config/certs/elastic-stack-ca.p12  --dns localhost --ip 127.0.0.1,::1 --name node1 --pem

sudo unzip -d ccc certificate-bundle.zip

sudo openssl x509 -in ccc/node1/node1.crt  -outform der -out cert.der

sudo keytool -import -alias elastic -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -file cert.der

Then I got below error when starting fscrawler

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I thought it was due to the root certificate is not present in the java's cacert

so I ran the following commands:

openssl s_client -showcerts -connect localhost:9200
copy the certificate between BEGIN and END into ca.pem
sudo openssl x509 -in ca.pem  -outform der -out ca.der

sudo openssl x509 -in ccc/ca/ca.crt  -outform der -out ca.der

sudo keytool -import -alias elastic-ca -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -file ca.der

And now the error is:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=Elastic Certificate Tool Autogenerated CA)

Here are the details of these two entries in the java's cacert:

xxx@elk:~$ sudo keytool -list -alias elastic-ca -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -v
Enter keystore password:
Alias name: elastic-ca
Creation date: Oct 14, 2019
Entry type: trustedCertEntry

Owner: CN=Elastic Certificate Tool Autogenerated CA
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d9198dfc08cdec68978d431691caac7c3ef75bac
Valid from: Sun Oct 13 20:57:42 AEDT 2019 until: Wed Oct 12 20:57:42 AEDT 2022
Certificate fingerprints:
         MD5:  A7:AB:C0:CA:67:84:3F:32:1B:55:79:0D:23:C7:FF:69
         SHA1: 82:C4:C2:0E:CE:1B:29:26:52:83:39:B5:BF:8D:63:E3:5E:0A:B3:67
         SHA256: 29:37:C7:67:8C:14:93:A9:97:38:53:63:05:B9:E8:85:53:EC:28:A3:2E:D6:24:7D:25:F3:F1:FA:1D:09:72:AF
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F3 F3 90 88 1F CE E7 96   3D FA B5 9B A8 6A EC 1F  ........=....j..
0010: C1 07 CA 25                                        ...%
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F3 F3 90 88 1F CE E7 96   3D FA B5 9B A8 6A EC 1F  ........=....j..
0010: C1 07 CA 25                                        ...%
]
]



xxx@elk:~$ sudo keytool -list -alias elastic -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -v  Enter keystore password:
Alias name: elastic
Creation date: Oct 14, 2019
Entry type: trustedCertEntry

Owner: CN=node-xxx
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d54b56ac15611a3c61fbdc9980d7a2e831f7ed7e
Valid from: Mon Oct 14 18:11:30 AEDT 2019 until: Thu Oct 13 18:11:30 AEDT 2022
Certificate fingerprints:
         MD5:  52:2C:0B:42:A6:0E:57:53:3B:08:BE:03:90:B3:99:7A
         SHA1: B2:50:1B:AA:57:C0:58:B6:C6:C9:3E:70:C0:23:CA:19:5A:3E:F1:EC
         SHA256: C0:E7:B8:AF:08:53:33:4D:F3:22:23:61:18:23:64:A2:20:82:BE:5A:39:1B:7E:DA:84:E5:1B:D8:9D:AD:FB:06
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F3 F3 90 88 1F CE E7 96   3D FA B5 9B A8 6A EC 1F  ........=....j..
0010: C1 07 CA 25                                        ...%
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  IPAddress: 127.0.0.1
  IPAddress: 0:0:0:0:0:0:0:1
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C5 06 BE D2 90 8A 39 2C   F4 7D 96 FD C9 70 BF 82  ......9,.....p..
0010: A7 F0 AD 74                                        ...t
]
]

Anything is missing?

with alias of 'elastic' entry above, I am able to test the connection using 'https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java'

java SSLPoke localhost 9200
Successfully connected

Is it helpful for the troubleshooting?

Can you share your elasticsearch configuration ? It seems like you are using the CA certificate for TLS on the http layer instead of the node-sni.p12

Thanks Ioannis, you are right, that was the issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.