Not an SSL/TLS record when Enable SSL/TLS for HTTP

Hi team,

I want to configure Elasticsearch for SAML authentication when I follow below official link: https://www.elastic.co/guide/en/elastic-stack-overview/6.7/saml-guide-authentication.html#saml-guide-authentication, but met "not an SSL/TLS record" error when configure the first step(Enable SSL/TLS for HTTP), then Elasticsearch cluster doesn't work. I try my best to fix it. But I can't solve it. I saw that this is an bug before version 7.4 (https://github.com/elastic/elasticsearch/pull/45852).
I want to ask you, so currently we can't enable SAML before version 7.4 release, right?
because I enable it (xpack.security.http.ssl.enabled: true), the ES cluster doesn't work.
And if you have other solution to fix this issue for older version, please help us too.
Thanks a lot!

===============================================================================
Elasticsearch Version: 6.7.0-1
Master Node Config:
cluster.name: master-node
node.name: master-node
node.master: true
node.data: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.0.178", "192.168.0.179", "192.168.0.180"]

xpack.security.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.authc.token.enabled: true

Data Node config:
cluster.name: master-node
node.name: data-node1
node.master: false
node.data: true
network.host: 0.0.0.0
https.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.0.178", "192.168.0.179", "192.168.0.180"]

xpack.security.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.authc.token.enabled: true

And if I disable xpack.security.http.ssl.enabled, the ES cluster works fine.

ERROE message:
[2019-10-07T14:18:27,811][WARN ][o.e.h.n.Netty4HttpServerTransport] [master-node] caught exception while handling client http traffic, closing connection [id: 0xd2747b4c, L:0.0.0.0/0.0.0.0:9200 ! R:/192.168.0.178:58880]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70466247467a64476c6a4d54497a0d0a486f73743a203139322e3136382e302e3137383a393230300d0a436f6e74656e742d4c656e6774683a20300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:556) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:510) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909) [netty-common-4.1.32.Final.jar:4.1.32.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70466247467a64476c6a4d54497a0d0a486f73743a203139322e3136382e302e3137383a393230300d0a436f6e74656e742d4c656e6774683a20300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1182) ~[netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247) ~[netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
... 15 more

If you enable SSL on the HTTP interface then you need to use https to access the cluster.

This means that something is connecting to your cluster using http:// instead of https://
This will not work because your cluster is only accessible over SSL (https).

@TimV Thanks. And how to configure cluster using https. I just configure it, and didn't use http connect it. I didn't find the configuration parameter. Sorry. So could you provide it?

@rambo the message you shared contains enough information to determine that the admin password for your cluster is Ela******3 (I have redacted some of the characters there, but the full password is recoverable with minimal effort). You should consider this password leaked and change it immediately. You should also use a much stronger password in future, because this password would be far too easy for an attacker to guess.

@DavidTurner
thanks. this is test environment. And who can help me on this issue? thanks a lot. :slightly_smiling_face:

I'm not sure what further help you need. Tim's last message looks like a complete solution to the problem.

yes. but I don't know how to configure to use https to access the cluster. any docs I can refer

It totally depends on the client. Normally it's something simple like replacing http with https in the cluster URI.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.