I have followed steps till creating client certificate . My requirement is authenticate user to elasticsearch with PKI . In above tutorial it is mentioned configuring kibana to authenticate to es cluster. Can't I use my own client instead of kibana? If so what is the procedure?
The procedure is the same exactly. For example there are details and examples on how to authenticate with a client key /certificate when using curl in section PKI Authentication in the blog post you mentioned.
But i ran into some error.
I had to make changes as --cacert instead of --cert in the above command to make it work.Is it okay with this change.What might be the reason for this change.?
After the just above change I again ran into one more error as below.
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_xpack/security/_authenticate?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"Basic realm="security" charset="UTF-8""
]
}
}
],
"type" : "security_exception",
"reason" : "missing authentication token for REST request [/_xpack/security/_authenticate?pretty]",
"header" : {
"WWW-Authenticate" : [
"Bearer realm="security"",
"Basic realm="security" charset="UTF-8""
]
}
},
"status" : 401
}
To get rid of this error I had to make change to above command as
Why i need to pass elastic username/password ?.
In the above blog there is section to set built-in pwd to built-in user (I have done this ) but why we need to set this?
Is it because of above step I need to pass elastic username/pwd.
What is the error you ran into? What were the error message, what was in the logs. You'd need to provide some additional information for us to be able to assist you.
Do you mean that you changed --cert to --cacert ? That means that curl didn't use the Certificate to authenticate to elasticsearch and would explain the error you got:
You are trying to authenticate with a client certificate. If you don't send that client certificate (which is what happens when you don't use --cert in Curl, then it is expected that authentication fails.
You don't need to. What happens is that since you're not sending a client certificate and you are sending a username and password instead, Elasticsearch assumes that you want to authenticate with that username and password and allows you to do so. This is allowed since you are using xpack.security.http.ssl.client_authentication: optional which means that Elasticsearch will prompt for client certificate authentication but will also allow other means ( like basic auth ) if the client certificate authentication fails.
In summary:
Remove -u "elastic":"elastic" from the Curl command you try with
Change --cacert client.cer to --cert client.cer as it is described in the docs and the blog post.
If the above fails, share with us the exact error response and logs from Elasticsearch
`Preformatted text`[2019-06-04T17:41:31,383][INFO ][o.e.c.r.a.AllocationService] [iLFF8Lv] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[bank][3]] ...]).
[2019-06-04T17:41:35,011][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [iLFF8Lv] caught exception while handling client http traffic, closing connection [id: 0xb3b0ea8d, L:0.0.0.0/0.0.0.0:9200 ! R:/0:0:0:0:0:0:0:1:64722]
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.30.Final.jar:4.1.30.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-common-4.1.30.Final.jar:4.1.30.Final]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_45]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1421) ~[?:1.8.0_45]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:1.8.0_45]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:1.8.0_45]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:1.8.0_45]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_45]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
... 15 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_45]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[?:1.8.0_45]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_45]
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1848) ~[?:1.8.0_45]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:222) ~[?:1.8.0_45]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:969) ~[?:1.8.0_45]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:909) ~[?:1.8.0_45]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:906) ~[?:1.8.0_45]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_45]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1359) ~[?:1.8.0_45]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1457) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243) ~[netty-handler-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.30.Final.jar:4.1.30.Final]
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:1.8.0_45]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_45]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_45]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_45]
Please use </> or backticks (```) to format your posts when you add logs/outputs/code/configuration. It makes it so much easier to read and will highly benefit the chances of someone reading through it and offering any help! It'd be great if you can edit your previous posts to fix that.
Hi ,
I have followed below command to generate certificate as per mentioned in the blog.
bin/elasticsearch-certutil ca
ENTER ENTER
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
ENTER ENTER ENTER
And placed it in the certs folder in config of elasticsearch
Followed by below command to generate client certificate
bin/elasticsearch-certutil cert --ca \
config/certs/elastic-stack-ca.p12 \
-name "CN=something,OU=Consulting Team,DC=mydomain,DC=com"
ENTER
client.p12 ENTER
ENTER
So how to verify that PKCS#12 contains client-ca.cer trusted certificate??if it does not contain how can I add?
How did you generate certs/elastic-certificates.p12 ?
That's the file that you are using as a truststore in xpack.security.http.ssl.truststore.path, it needs to have been generated using exactly the same CA that generated your client certificate.
This is the way I have generated elastic-certificates.p12
1.bin/elasticsearch-certutil ca (this will generate "elastic-stack-ca.p12" file for me ).
2.bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 (this will generate "elastic-certificates.p12" using "elastic-stack-ca.p12" from above step)
and my elastcsticsearch file truststore path configured as below
And I have used same CA certificate ("elastic-stack-ca.p12") for generating client certificate as per below command in the blog.
bin/elasticsearch-certutil cert --ca config/certs/elastic-stack-ca.p12 -name "CN=something,OU=Consulting Team,DC=mydomain,DC=com"
ENTER
client.p12 ENTER
ENTER
you mean to say I should use "config/certs/elastic-certificates.p12`" instead of config/certs/elastic-stack-ca.p12 for generating client certificate?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.