Java ssl "Too Short" error

Elastic Stack Elasticsearch
1

I have an odd problem with a cert signed by our local CA. I get a java error about something being 'too short', but I have no clue what that is. The problem definitely seems to be related to the locally-signed cert, because ES doesn't complain about certs signed by commercial providers.
I've used certs signed by local CAs for years with lots of of services and have never had a problem until now. Yes, they are 2048-bit certs.

This is the ssl config:

xpack:
  security:
    enabled: true
    transport:
      ssl:
        enabled: true
        verification_mode: certificate
        key: /etc/elasticsearch/certs/myhost.key.pem
        certificate: /etc/elasticsearch/certs/myhost.cert.pem

This is the relevant logging, the stack traces which I have shortened for readability:

[2021-11-15T18:43:55,184][ERROR][o.e.b.Bootstrap          ] [myhost] Exception
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:530) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1420) ~[?:?]
--
Caused by: org.elasticsearch.ElasticsearchException: failed to create trust manager
	at org.elasticsearch.xpack.core.ssl.TrustConfig$CombiningTrustConfig.createTrustManager(TrustConfig.java:173) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
--
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createTrustManager(PEMKeyConfig.java:132) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.TrustConfig$CombiningTrustConfig.lambda$createTrustManager$0(TrustConfig.java:169) ~[?:?]
--
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Too short
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:186) ~[?:?]
	at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476) ~[?:?]
--
Caused by: java.io.IOException: Too short
	at sun.security.util.DerValue.<init>(DerValue.java:333) ~[?:?]
	at sun.security.util.DerInputStream.getDerValue(DerInputStream.java:109) ~[?:?]
--
[2021-11-15T18:43:55,207][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [myhost] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to create trust manager]; nested: ElasticsearchException[failed to initialize a TrustManagerFactory]; nested: CertificateException[Unable to initialize, java.io.IOException: Too short]; nested: IOException[Too short];
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:171) ~[elasticsearch-7.15.1.jar:7.15.1]
	at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:158) ~[elasticsearch-7.15.1.jar:7.15.1]
--
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
	at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:530) ~[?:?]
	at java.util.HashMap.forEach(HashMap.java:1420) ~[?:?]
--
Caused by: org.elasticsearch.ElasticsearchException: failed to create trust manager
	at org.elasticsearch.xpack.core.ssl.TrustConfig$CombiningTrustConfig.createTrustManager(TrustConfig.java:173) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
--
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory
	at org.elasticsearch.xpack.core.ssl.PEMKeyConfig.createTrustManager(PEMKeyConfig.java:132) ~[?:?]
	at org.elasticsearch.xpack.core.ssl.TrustConfig$CombiningTrustConfig.lambda$createTrustManager$0(TrustConfig.java:169) ~[?:?]
--
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: Too short
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:186) ~[?:?]
	at sun.security.provider.X509Factory.parseX509orPKCS7Cert(X509Factory.java:476) ~[?:?]
--
Caused by: java.io.IOException: Too short
	at sun.security.util.DerValue.<init>(DerValue.java:333) ~[?:?]
	at sun.security.util.DerInputStream.getDerValue(DerInputStream.java:109) ~[?:?]

system/software details:

# echo $ES_JAVA_HOME
/usr/lib/jvm/java-11-openjdk
# rpm -q elasticsearch
elasticsearch-7.15.1-1.x86_64
# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)

I searched for various combinations of 'Elasticsearch', 'java', 'ssl', and 'too short' but found nothing relevant.

Can someone tell me what it is that is 'too short'?

2

Wow, that's an incredibly unhelpful error message. Sorry about that.

From what you've posted, something in your certificate (specifically the cert, not the key) can't be parsed by the Java Certificate factory. It might be a java bug, or it might be a bug in whatever generated the cert - it's hard to tell.

Would you be willing to send me a copy of the certificate (only the cert, I don't need the key) privately? I'll see if I can work out exactly what the problem is and which component is at fault.

2 Likes
3

I've sent it to you. Thanks for looking into it!

4

I found the problem. My certificate file has a DH Params section in addition to the certificate. No other tool/service has ever had a problem with this. It seems like this is a java issue as opposed to an ES issue, though.

A pem file like this one doesn't work:

-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
-----BEGIN DH PARAMETERS-----
.....
-----END DH PARAMETERS-----

This pem file does:

-----BEGIN CERTIFICATE-----
.....
-----END CERTIFICATE-----
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.