Help! ES do not trust the certificate

yeziblo · June 19, 2019, 11:17am

Hi everyone,

I try to connect Eleasticsearch 6.8.0 via TransportClient(enable TLS), I created ca with command "./bin/elasticsearch-certutil ca --pem", then I unzip the zip file, move the ca profile to elasticsearch/config/ directory.

Then I created instance.crt and instance.key with command "./bin/elasticsearch-certutil cert --ca-cert config/ca/ca.crt --ca-key config/ca/ca.key --pem", I unzip the instance.zip and move the instance profile to elasticsearch/config/ directory.

This is configuration used in my elasticsearch.yml:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: instance/instance.key
xpack.security.transport.ssl.certificate: instance/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "ca/ca.crt" ]

Then I copy ca.crt、instance.key and instance.crt to the other computer where I want to connect ES cluster with JAVA API.

This is the code:
Settings.Builder builder = Settings.builder();
builder.put("cluster.name", es_server_clustername);
builder.put("xpack.security.user", "username:password");
builder.put("xpack.ssl.key", "/mypath/instance.key");
builder.put("xpack.ssl.certificate", "/mypath/instance.crt");
builder.put("xpack.ssl.certificate_authorities", "/mypath/ca.crt");
builder.put("xpack.security.transport.ssl.enabled", "true");
Settings settings = builder.build();
client = new PreBuiltXPackTransportClient(settings);

while connecting transport client I am getting below error on elasticsearch:
[2019-06-19T18:50:56,309][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [jo-2] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/172.x.x.xxx:63194}

I think I config according to the ES document, can you tell me what the problem is?

TimV · June 20, 2019, 3:07am

I strongly discourage using the same certificate+key for both the server and client. I would recommend that you create a new "client" cert using the same CA cert.

./bin/elasticsearch-certutil cert --ca-cert config/ca/ca.crt --ca-key config/ca/ca.key \
   --pem --name client --out client.zip

yeziblo:

I am getting below error on elasticsearch:

[2019-06-19T18:50:56,309][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [jo-2]
  client did not trust this server's certificate, closing connection
  Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/172.x.x.xxx:63194}

It would be helpful if you configure your client to log its own errors. Diagnosing the problems from the wrong side of the connection is hard.

The problems appears to be that your instance.crt doesn't include any IP/Hostname information, but your client is configured to require it.

The recommended code would be

Settings.Builder builder = Settings.builder();
builder.put("cluster.name", es_server_clustername);
builder.put("xpack.security.user", "username:password");
builder.put("xpack.security.transport.ssl.enabled", "true");
builder.put("xpack.security.transport.ssl.verification_mode", "certificate");
builder.put("xpack.security.transport.ssl.key", "/mypath/instance.key");
builder.put("xpack.security.transport.ssl.certificate", "/mypath/instance.crt");
builder.putList("xpack.security.transport.ssl.certificate_authorities", "/mypath/ca.crt");
Settings settings = builder.build();
client = new PreBuiltXPackTransportClient(settings);

yeziblo · June 20, 2019, 3:15am

Hi @TimV
Thank you so much. It really worked！
I will use a new client cert as you said.
thanks and best regards!
yeziblo

system · July 18, 2019, 3:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.