P12 certificate is protected by password

security

(Rijin) #1

Hi all ,

My ES cluster containing 3 Master and 2 Data nodes. I have 5 p12 certificates for SSL. All p12 certificates are password protected. May I use these password protected certificates in cluster . When I am enabled SSL by this certificates showing some errors.


(Ioannis Kakavas) #2

Hello,

You can definitely use password protected PKCS12 stores with Elasticsearch. See also our settings reference

Please share some additional information with us:

  • how did you create these five p12 files
  • what is the error you're getting

This will hopefully enable someone to offer some meaningful feedback and assist you overcoming your problem !


(Rijin) #3

These certificates provide from company . With password . They brought from CA companies


(Ioannis Kakavas) #4

Hi Rijin,

Please share the error message you're getting as without this we can only guess and it will be really difficult to assist you in a meaningful way.


(Tim Vernum) #5

Commercially provided PKCS#12 files typically contain cert+key pairs only, and do not contain any trust entries.

If you are attempting to use the file as a truststore then that is not likely to work.


(Rijin) #6

My COnf:
xpack.security.enabled: true
xpack.ssl.keystore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.password: 1b7f669
xpack.ssl.truststore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.truststore.type: PKCS12

xz.p12 and the decryption password 1b7f669 is provided by company.

Error log:

Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_181]
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:71) ~[?:?]
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.trustManager(CertParsingUtils.java:267) ~[?:?]
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:58) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:355) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:388) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:92) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:130) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_181]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:549) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:464) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:156) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.node.Node.(Node.java:315) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.node.Node.(Node.java:256) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.2.jar:6.4.2]
... 6 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.


(Tim Vernum) #7

You have set xpack.ssl.keystore.password but not xpack.ssl.truststore.password


(Rijin) #8

OK.

That means remove xpack.ssl.truststore.password ?


(Tim Vernum) #9

No, the configuration file you posted does not have an entry for xpack.ssl.truststore.password


(Rijin) #10

Ok Tim.

I am checking with new conf. Avoided truststore part


(Rijin) #11

Hi Tim ,

I am tried with below mentioning conf. Its working. ( Data node IP:1.2.3.4)

xpack.security.enabled: true
xpack.ssl.keystore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.password: 1b7f669

But from kibana ...

elasticsearch.url: "https://1.2.3.4:9200" is not working. No live connection showing in log.
elasticsearch.url: "http://1.2.3.4:9200" is connecting to elasticsearch .

Why ?


(Tim Vernum) #12

It appears that you have not enabled TLS on the http port

https://www.elastic.co/guide/en/elasticsearch/reference/6.4/configuring-tls.html#tls-http


(Rijin) #13

Hi TIm when I am added the line "xpack.security.http.ssl.enabled: true" to ES cluster yml files

all 3 master nodes and 1 data node working well .

but only one data node showing this error

io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [xyzzzz.corp.internal] caught exception while handling client http traffic, closing connection [id: 0x4b6f4330, L:0.0.0.0/0.0.0.0:9200 ! R:/10.142.1.105:58504]


(Tim Vernum) #14

[WARN ]

This is a warning. Warnings can represent something significant, but they typically telling you about something that isn't preventing the cluster from functioning, but may not be working the way you expected/wanted it to.

SecurityNetty4HttpServerTransport

This error is relating to HTTP traffic.

not an SSL/TLS record

The HTTP interface is expecting SSL requests, but it received something that was not an SSL record.

L:0.0.0.0/0.0.0.0:9200

This was received on port 9200 on the local machine

R:/10.142.1.105:58504

This was received from the Remote host: 10.142.1.105

In short, something on 10.142.1.105 is trying to connect over http rather than https.


(Rijin) #15

Thanks tim ... 10.142.1.105 is logstash ... I WILL CHANGE logstash outout to https(Now it is http).

The "not an SSL/TLS record" issue from kibana connection to Data node.

My kibana conf:

lasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/xyz.crt
server.ssl.key: /etc/kibana/certs/xyz.key

Is it ok ?