io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

Hello,

I have installed x-pack and configured each and every node of my elastic cluster for SSL certificates using certutil tool provided by x-pack. A forwarder is configured to ingest data into elastic cluster, I checked twice that forwarder must use https instead of http but unable to ingest data. Here is the error shown in log file of elasticsearch. I have also configured kibana which is working very fine the problem is forwarder is not able to connect.

[2018-05-08T16:53:40,343][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [node-1] caught exception while handling client http traffic, closing connection [id: 0x7c39ca2f, L:0.0.0.0/0.0.0.0:9200 ! R:/10.0.1.1:53205]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0300002b26e00000000000436f6f6b69653a206d737473686173683d68656c6c6f0d0a0100080003000000
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0300002b26e00000000000436f6f6b69653a206d737473686173683d68656c6c6f0d0a0100080003000000
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1106) ~[?:?]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
        o.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:... 15 more

Thanks,
Meet

Hi

If by forwarder you mean a Logstash forwarder, is there any specific reason why you don't use Filebeat instead?

How did you check this? Can you share your config ?

Can you share more details on how does this problem manifest ? What are the symptoms? What are you expecting to happen that doesn't happen?

The error you pasted clearly states that something is sending plaintext traffic to Elasticsearch and
0300002b26e00000000000436f6f6b69653a206d737473686173683d68656c6c6f0d0a0100080003000000 is the request it receives hex encoded and decodes to

+&àCookie: mstshash=hello


but seems to be unrelated to Elasticsearch or the Forwarder, it looks like something is tryintg to connect over RDP to the port Elasticsearch is listening at ?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.