Not an SSL/TLS record when Enable SSL/TLS for HTTP

rambo · October 7, 2019, 6:14am

Hi team,

I want to configure Elasticsearch for SAML authentication when I follow below official link: https://www.elastic.co/guide/en/elastic-stack-overview/6.7/saml-guide-authentication.html#saml-guide-authentication, but met "not an SSL/TLS record" error when configure the first step(Enable SSL/TLS for HTTP), then Elasticsearch cluster doesn't work. I try my best to fix it. But I can't solve it. I saw that this is an bug before version 7.4 (https://github.com/elastic/elasticsearch/pull/45852).
I want to ask you, so currently we can't enable SAML before version 7.4 release, right?
because I enable it (xpack.security.http.ssl.enabled: true), the ES cluster doesn't work.
And if you have other solution to fix this issue for older version, please help us too.
Thanks a lot!

===============================================================================
Elasticsearch Version: 6.7.0-1
Master Node Config:
cluster.name: master-node
node.name: master-node
node.master: true
node.data: false
network.host: 0.0.0.0
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.0.178", "192.168.0.179", "192.168.0.180"]

xpack.security.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.authc.token.enabled: true

Data Node config:
cluster.name: master-node
node.name: data-node1
node.master: false
node.data: true
network.host: 0.0.0.0
https.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.0.178", "192.168.0.179", "192.168.0.180"]

xpack.security.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certs/elastic-certificates.p12
xpack.security.authc.token.enabled: true

And if I disable xpack.security.http.ssl.enabled, the ES cluster works fine.

ERROE message:
[2019-10-07T14:18:27,811][WARN ][o.e.h.n.Netty4HttpServerTransport] [master-node] caught exception while handling client http traffic, closing connection [id: 0xd2747b4c, L:0.0.0.0/0.0.0.0:9200 ! R:/192.168.0.178:58880]
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70466247467a64476c6a4d54497a0d0a486f73743a203139322e3136382e302e3137383a393230300d0a436f6e74656e742d4c656e6774683a20300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:656) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:556) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:510) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:470) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909) [netty-common-4.1.32.Final.jar:4.1.32.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a417574686f72697a6174696f6e3a204261736963205a57786863335270597a70466247467a64476c6a4d54497a0d0a486f73743a203139322e3136382e302e3137383a393230300d0a436f6e74656e742d4c656e6774683a20300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1182) ~[netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247) ~[netty-handler-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
... 15 more

TimV · October 7, 2019, 6:58am

If you enable SSL on the HTTP interface then you need to use https to access the cluster.

This means that something is connecting to your cluster using http:// instead of https://
This will not work because your cluster is only accessible over SSL (https).

rambo · October 7, 2019, 7:05am

@TimV Thanks. And how to configure cluster using https. I just configure it, and didn't use http connect it. I didn't find the configuration parameter. Sorry. So could you provide it?

DavidTurner · October 7, 2019, 8:25am

@rambo the message you shared contains enough information to determine that the admin password for your cluster is Ela******3 (I have redacted some of the characters there, but the full password is recoverable with minimal effort). You should consider this password leaked and change it immediately. You should also use a much stronger password in future, because this password would be far too easy for an attacker to guess.

rambo · October 7, 2019, 8:38am

@DavidTurner
thanks. this is test environment. And who can help me on this issue? thanks a lot.

DavidTurner · October 7, 2019, 8:40am

I'm not sure what further help you need. Tim's last message looks like a complete solution to the problem.

rambo · October 7, 2019, 8:48am

yes. but I don't know how to configure to use https to access the cluster. any docs I can refer

DavidTurner · October 7, 2019, 8:55am

It totally depends on the client. Normally it's something simple like replacing http with https in the cluster URI.

system · November 4, 2019, 8:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.