I try to set up authentication through Active Directory. My problem is in connection using LDAPS. We have our own CA service and all certificates are issued by one of them. So we have root CA, then Sub CA which issues all certs. Certs for domain controllers also are enrolled from Sub CA automatically.
With this config of my realm authentication works:
active_directory:
ad1:
order: 2
domain_name: domain.local
url: ldaps://dc01.domain.local:636, ldaps://dc02.domain.local:636
load_balance:
type: "failover"
ssl:
certificate_authorities: [ "cert/root_ca.crt", "cert/sub_ca.crt" ]
verification_mode: none
I had to insert verification_mode: none
because if I delete this string authentication breaks and I get this error
[2020-10-01T19:07:32,749][WARN ][o.e.c.s.DiagnosticTrustManager] [node] failed to establish trust with server at [dc01.domain.local];
the server provided a certificate with subject name [CN=dc01.domain.local] and fingerprint [81b774a1e91159cc43f036a5b90571afd6038061];
the certificate has subject alternative names [DNS:dc01.domain.local];
the certificate is issued by [CN=SubCA,DC=domain,DC=local];
the certificate is signed by (subject [CN=SubCA,DC=domain,DC=local] fingerprint [ab278873cc4c7da08dcb0c0e87c0d7bcc7e6357c] {trusted issuer}) which is issued by [CN=Root CA,O=domain,C=local] (but that issuer certificate was not provided in the chain);
the issuing certificate with fingerprint [21be9ae0cca9af097ee70a1754e1c1c5b23ef035] is trusted in this ssl context ([xpack.security.authc.realms.active_directory.ad1.ssl])
sun.security.validator.ValidatorException: KeyUsage does not allow digital signatures
[2020-10-01T19:07:32,753][WARN ][o.e.x.s.a.AuthenticationService] [node] Authentication to realm ad1failed - authenticate failed (Caused by LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server dc01.domain.local:636:
IOException(LDAPException(resultCode=91 (connect error), errorMessage='Unable to verify an attempt to to establish a secure connection to 'dc01.domain.local:636' because an unexpected error was encountered during validation processing: SSLPeerUnverifiedException(peer not authenticated), ldapSDKVersion=4.0.8, revision=28812'))'))
But at the same time I use these two certificates [ "cert/root_ca.crt", "cert/sub_ca.crt" ]
in other sections of elasticsearch.yml without any problems
xpack.security.transport.ssl.certificate_authorities: [ "cert/root_ca.crt", "cert/sub_ca.crt ]
xpack.security.http.ssl.certificate_authorities: [ "cert/root_ca.crt", "cert/sub_ca.crt" ]
Why elasticsearch says that issuer certificate was not provided in the chain when it was provided exactly?