Fscrawler is failed to connect to ES with HTTPS enabled

Elastic Stack Elasticsearch
1

I have configured the Kibana being connected to ES 7.3.0 with HTTPS enabled. But I got this error "java.io.IOException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=Elastic Certificate Tool Autogenerated CA)"

Actually I encountered the same issue in Kibana and then I set this in the kibana.yml and it worked: elasticsearch.ssl.verificationMode: certificate

I did not find the corresponding setting in fscrawler: https://fscrawler.readthedocs.io/en/latest/admin/fs/elasticsearch.html#ssl-configuration

Any one managed to do that?

Thanks

2

Insteda of configuring FSCrawler you can generate certificates with the applicable names.

Based on the error shown above, you would want to add --dns localhost to the commandline when you run elasticsearch-certutil cert

1 Like
3

Thanks Tim,

Here is the command I used:
sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --dns localhost --ip 127.0.0.1,::1 --name node-sni --out node-sni.p12

4

Here are the steps:

sudo /usr/share/elasticsearch/bin/elasticsearch-certutil cert  --ca /etc/elasticsearch/config/certs/elastic-stack-ca.p12  --dns localhost --ip 127.0.0.1,::1 --name node1 --pem

sudo unzip -d ccc certificate-bundle.zip

sudo openssl x509 -in ccc/node1/node1.crt  -outform der -out cert.der

sudo keytool -import -alias elastic -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -file cert.der

Then I got below error when starting fscrawler

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I thought it was due to the root certificate is not present in the java's cacert

so I ran the following commands:

openssl s_client -showcerts -connect localhost:9200
copy the certificate between BEGIN and END into ca.pem
sudo openssl x509 -in ca.pem  -outform der -out ca.der

sudo openssl x509 -in ccc/ca/ca.crt  -outform der -out ca.der

sudo keytool -import -alias elastic-ca -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -file ca.der

And now the error is:

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'localhost' does not match the certificate subject provided by the peer (CN=Elastic Certificate Tool Autogenerated CA)

Here are the details of these two entries in the java's cacert:

xxx@elk:~$ sudo keytool -list -alias elastic-ca -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -v
Enter keystore password:
Alias name: elastic-ca
Creation date: Oct 14, 2019
Entry type: trustedCertEntry

Owner: CN=Elastic Certificate Tool Autogenerated CA
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d9198dfc08cdec68978d431691caac7c3ef75bac
Valid from: Sun Oct 13 20:57:42 AEDT 2019 until: Wed Oct 12 20:57:42 AEDT 2022
Certificate fingerprints:
         MD5:  A7:AB:C0:CA:67:84:3F:32:1B:55:79:0D:23:C7:FF:69
         SHA1: 82:C4:C2:0E:CE:1B:29:26:52:83:39:B5:BF:8D:63:E3:5E:0A:B3:67
         SHA256: 29:37:C7:67:8C:14:93:A9:97:38:53:63:05:B9:E8:85:53:EC:28:A3:2E:D6:24:7D:25:F3:F1:FA:1D:09:72:AF
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F3 F3 90 88 1F CE E7 96   3D FA B5 9B A8 6A EC 1F  ........=....j..
0010: C1 07 CA 25                                        ...%
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F3 F3 90 88 1F CE E7 96   3D FA B5 9B A8 6A EC 1F  ........=....j..
0010: C1 07 CA 25                                        ...%
]
]



xxx@elk:~$ sudo keytool -list -alias elastic -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -v  Enter keystore password:
Alias name: elastic
Creation date: Oct 14, 2019
Entry type: trustedCertEntry

Owner: CN=node-xxx
Issuer: CN=Elastic Certificate Tool Autogenerated CA
Serial number: d54b56ac15611a3c61fbdc9980d7a2e831f7ed7e
Valid from: Mon Oct 14 18:11:30 AEDT 2019 until: Thu Oct 13 18:11:30 AEDT 2022
Certificate fingerprints:
         MD5:  52:2C:0B:42:A6:0E:57:53:3B:08:BE:03:90:B3:99:7A
         SHA1: B2:50:1B:AA:57:C0:58:B6:C6:C9:3E:70:C0:23:CA:19:5A:3E:F1:EC
         SHA256: C0:E7:B8:AF:08:53:33:4D:F3:22:23:61:18:23:64:A2:20:82:BE:5A:39:1B:7E:DA:84:E5:1B:D8:9D:AD:FB:06
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F3 F3 90 88 1F CE E7 96   3D FA B5 9B A8 6A EC 1F  ........=....j..
0010: C1 07 CA 25                                        ...%
]
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#3: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: localhost
  IPAddress: 127.0.0.1
  IPAddress: 0:0:0:0:0:0:0:1
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C5 06 BE D2 90 8A 39 2C   F4 7D 96 FD C9 70 BF 82  ......9,.....p..
0010: A7 F0 AD 74                                        ...t
]
]

Anything is missing?

5

with alias of 'elastic' entry above, I am able to test the connection using 'https://confluence.atlassian.com/download/attachments/117455/SSLPoke.java'

java SSLPoke localhost 9200
Successfully connected

Is it helpful for the troubleshooting?

6

Can you share your elasticsearch configuration ? It seems like you are using the CA certificate for TLS on the http layer instead of the node-sni.p12

7

Thanks Ioannis, you are right, that was the issue.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.