Peer certificate cannot be authenticated with known CA certificates

security

(Syed Quadri) #1

Hi,

I'm working on encrypting a dev ELK 5.6 stack on CentOs 6. I have followed the documents and was able to issue certificates and got the communication set between two elasticsearch nodes and kibana. However, I see the following errors on my stack.

  1. Certificate error while accessing Kibana through web browser.
  2. Unable to curl the elasticsearch API (curl -X GET -v "https://IP:9201/_cluster/health" -u username)

Here's my kibana.yaml

# Kibana is served by a back end server. This setting specifies the port to use.
server.port: 5601

server.host: "IP"

# The Kibana server's name.  This is used for display purposes.
server.name: "kibana-squad"

# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "https://IP:9201"
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
kibana.index: ".kibana"

# The default application to load.
kibana.defaultAppId: "discover"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
elasticsearch.username: "elastic"
elasticsearch.password: "password"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.pem
server.ssl.key: /etc/kibana/certs/kibana.key
xpack.monitoring.elasticsearch.ssl.ca: /etc/kibana/ca.crt
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
elasticsearch.ssl.certificate: /etc/kibana/masterdir.pem
elasticsearch.ssl.key: /etc/kibana/masterdir.key
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/ca.pem" ]


###################################################################
elasticsearch.yaml
###################################################################
cluster.name: elastic-squad
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: master
node.attr.rack: rack1
#
# ----------------------------------- Paths ------------------------------------
#
#
network.host: IP
#
# Set a custom port for HTTP:
#
http.port: 9201
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.zen.ping.unicast.hosts: ["IP"]
#
# Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
discovery.zen.minimum_master_nodes: 1
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#action.destructive_requires_name: true
node.max_local_storage_nodes: 3
bootstrap.system_call_filter: false

xpack.ssl.key:                     /etc/elasticsearch/x-pack/masterdir/masterdir.key
xpack.ssl.certificate:             /etc/elasticsearch/x-pack/masterdir/masterdir.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca/ca.pem" ]
xpack.security.http.ssl.enabled: true
xpack.security.transport.ssl.enabled: true

Errors:

[root@syeddev01 elasticsearch]# curl -X GET -v "https://IP:9201/_cluster/health" -u elastic
Enter host password for user 'elastic':

  • About to connect() to IP port 9201 (#0)
  • Trying IP... connected
  • Connected to IP (IP) port 9201 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Peer's certificate issuer is not recognized: 'CN=Elastic Certificate Tool Autogenerated CA'
  • NSS error -8179
  • Closing connection #0
  • Peer certificate cannot be authenticated with known CA certificates
    curl: (60) Peer certificate cannot be authenticated with known CA certificates
    More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.


(Yogesh Gaikwad) #2

Hi @squad

Please format your post to be readable, there are options that allow you to format the post in your editor and preview them before posting.

I think you forgot to include the errors that you got when accessing Kibana via browser and for API invocation via API. Could you please attach the errors that you are getting so we could help you further.

Regards,
Yogesh


(Syed Quadri) #3

Hi Yogesh,

Sorry about that. I fixed the format and also included the error.

Thank you


(Yogesh Gaikwad) #4

As you can see from the error output when invoking API using curl, you need to trust the certificate presented by ES to continue.
You can use --cacert to specify the CA certificate from ES which you trust or -k (not recommended as it bypasses security by not verifying the certificates being presented). Check curl documentation for the usage of these options.

I am guessing similar problem when accessing Kibana is due to browser not trusting self signed certificates implicitly. What is the error that you are getting on the browser? You can configure browser to work with self signed certificates.