P12 certificate is protected by password

rijinmp · November 16, 2018, 6:25pm

Hi all ,

My ES cluster containing 3 Master and 2 Data nodes. I have 5 p12 certificates for SSL. All p12 certificates are password protected. May I use these password protected certificates in cluster . When I am enabled SSL by this certificates showing some errors.

ikakavas · November 16, 2018, 6:55pm

Hello,

You can definitely use password protected PKCS12 stores with Elasticsearch. See also our settings reference

Please share some additional information with us:

how did you create these five p12 files
what is the error you're getting

This will hopefully enable someone to offer some meaningful feedback and assist you overcoming your problem !

rijinmp · November 16, 2018, 6:58pm

These certificates provide from company . With password . They brought from CA companies

ikakavas · November 19, 2018, 7:17am

Hi Rijin,

Please share the error message you're getting as without this we can only guess and it will be really difficult to assist you in a meaningful way.

TimV · November 20, 2018, 5:04am

Commercially provided PKCS#12 files typically contain cert+key pairs only, and do not contain any trust entries.

If you are attempting to use the file as a truststore then that is not likely to work.

rijinmp · November 20, 2018, 5:58pm

My COnf:
xpack.security.enabled: true
xpack.ssl.keystore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.password: 1b7f669
xpack.ssl.truststore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.truststore.type: PKCS12

xz.p12 and the decryption password 1b7f669 is provided by company.

Error log:

Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2059) ~[?:?]
at java.security.KeyStore.load(KeyStore.java:1445) ~[?:1.8.0_181]
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:71) ~[?:?]
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.trustManager(CertParsingUtils.java:267) ~[?:?]
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:58) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:355) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:388) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:92) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:130) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_181]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:598) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:549) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:464) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:156) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.node.Node.(Node.java:315) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.node.Node.(Node.java:256) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:326) ~[elasticsearch-6.4.2.jar:6.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:136) ~[elasticsearch-6.4.2.jar:6.4.2]
... 6 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

TimV · November 20, 2018, 8:44pm

You have set xpack.ssl.keystore.password but not xpack.ssl.truststore.password

rijinmp · November 20, 2018, 10:36pm

OK.

That means remove xpack.ssl.truststore.password ?

TimV · November 20, 2018, 11:10pm

No, the configuration file you posted does not have an entry for xpack.ssl.truststore.password

rijinmp · November 20, 2018, 11:12pm

Ok Tim.

I am checking with new conf. Avoided truststore part

rijinmp · November 21, 2018, 1:12am

Hi Tim ,

I am tried with below mentioning conf. Its working. ( Data node IP:1.2.3.4)

xpack.security.enabled: true
xpack.ssl.keystore.path: /etc/elasticsearch/certs/xyz.p12
xpack.ssl.keystore.type: PKCS12
xpack.ssl.keystore.password: 1b7f669

But from kibana ...

elasticsearch.url: "https://1.2.3.4:9200" is not working. No live connection showing in log.
elasticsearch.url: "http://1.2.3.4:9200" is connecting to elasticsearch .

Why ?

TimV · November 21, 2018, 1:47am

It appears that you have not enabled TLS on the http port

https://www.elastic.co/guide/en/elasticsearch/reference/6.4/configuring-tls.html#tls-http

rijinmp · November 21, 2018, 2:55am

Hi TIm when I am added the line "xpack.security.http.ssl.enabled: true" to ES cluster yml files

all 3 master nodes and 1 data node working well .

but only one data node showing this error

io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [xyzzzz.corp.internal] caught exception while handling client http traffic, closing connection [id: 0x4b6f4330, L:0.0.0.0/0.0.0.0:9200 ! R:/10.142.1.105:58504]

TimV · November 21, 2018, 3:30am

[WARN ]

This is a warning. Warnings can represent something significant, but they typically telling you about something that isn't preventing the cluster from functioning, but may not be working the way you expected/wanted it to.

SecurityNetty4HttpServerTransport

This error is relating to HTTP traffic.

not an SSL/TLS record

The HTTP interface is expecting SSL requests, but it received something that was not an SSL record.

L:0.0.0.0/0.0.0.0:9200

This was received on port 9200 on the local machine

R:/10.142.1.105:58504

This was received from the Remote host: 10.142.1.105

In short, something on 10.142.1.105 is trying to connect over http rather than https.

rijinmp · November 21, 2018, 3:35am

Thanks tim ... 10.142.1.105 is logstash ... I WILL CHANGE logstash outout to https(Now it is http).

The "not an SSL/TLS record" issue from kibana connection to Data node.

My kibana conf:

lasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/xyz.crt
server.ssl.key: /etc/kibana/certs/xyz.key

Is it ok ?

system · December 19, 2018, 3:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.