Remote Client not able to connect to Elasticsearch Cluster via SSL in place

tusharnemade · May 12, 2021, 6:37am

Hello

I am using Elasticsearch version 7.8.0 with 5 node cluster. This cluster has SSL enabled and user auth security enabled too.

For inter-commmunication port used is 9300.

I am using external client [ Oracle Goldengate ] to connect to Elasticsearch cluster. It connects on PORT 9300.

When connection happens from client to ES Cluster , in ES Logfile i see below error :

[2021-05-12T06:16:40,835][WARN ][o.e.t.TcpTransport       ] [node-2] exception caught on transport layer [Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/XX.XX.XX.XX:24876}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty client certificate chain

At client Side , I have specified below params for certificate:

-Djavax.net.ssl.trustStore=/mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12 -Djavax.net.ssl.trustStorePassword=XXXXXX -Djavax.net.ssl.keyStore=/mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12 -Djavax.net.ssl.keyStorePassword=XXXXXX

Could you please help me to fix this ...

TimV · May 12, 2021, 7:14am

Which version of Goldengate are you using?
The latest version supports the Transport Client (port 9300) and the Rest Client (port 9200).

We (Elastic) have deprecated the transport client, so you should think about switching to use the Rest client with Goldengate if you can.

Have you tried using the connection properties supported by Goldengate (e.g. gg.handler.name.trustStore)?

tusharnemade · May 12, 2021, 7:16am

Goldengate Version 19.1.0.0.5
We are using Transport Client 9300

For which version this is deprecated [ My elasticsearch version is 7.8.0 ]

Without SSL and Authentication in place , Goldengate works perfectly fine and does inserts data in Elasticsearch indexes as expected.

tusharnemade · May 12, 2021, 8:56am

Hi

Yes I have tried that too...
FILE : elasticsearch6x.props


gg.handlerlist=elasticsearch
gg.handler.elasticsearch.type=elasticsearch

## Handler properties for Elasticsearch 6.x and 7.0.0
gg.handler.elasticsearch.ServerAddressList=10.XX.XX.XX:9300
gg.handler.elasticsearch.clientSettingsFile=client6x.properties
gg.handler.elasticsearch.version=7.x
#gg.handler.elasticsearch.bulkWrite=true

# For ES 6.x and 7.0.0 connectivity
gg.classpath=/mnt/elasticsearch-7.8.0/lib/*:/mnt/elasticsearch-7.8.0/modules/transport-netty4/*:/mnt/elasticsearch-7.8.0/modules/reindex/*:/mnt/elasticsearch-7.8.0/modules/x-pack-core/*:/mnt/elasticsearch-7.8.0/modules/percolator/*:/mnt/elasticsearch-7.8.0/modules/lang-mustache/*:/mnt/elasticsearch-7.8.0/modules/parent-join/*:
goldengate.userexit.writers=javawriter
javawriter.stats.display=TRUE
javawriter.stats.full=TRUE
gg.log=log4j
gg.log.level=INFO
gg.report.time=30sec
javawriter.bootoptions=-Xmx4096m -Xms4096m -XX:+UseG1GC -XX:MaxGCPauseMillis=50 -XX:+ParallelRefProcEnabled -XX:ParallelGCThreads=8 -XX:ConcGCThreads=2 -XX:InitiatingHeapOccupancyPercent=75 -Djava.class.path=.:ggjava/ggjava.jar:./dirprm -Djavax.net.ssl.trustStore=/mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12 -Djavax.net.ssl.trustStorePassword=elastic -Djavax.net.ssl.keyStore=/mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12 -Djavax.net.ssl.keyStorePassword=elastic


## SSL for ES
gg.handler.elasticsearch.authType=ssl
gg.handler.elasticsearch.basicAuthUse.elasticsearch.elastic
gg.handler.elasticsearch.basicAuthPassword=elastic
gg.handler.elasticsearch.trustStore=/mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12
gg.handler.elasticsearch.trustStorePassword=elastic

tusharnemade · May 12, 2021, 8:57am

I have copied "elastic-certificates.p12" from Elasticsearch Cluster.

During this certificate creation , I did included our Goldengate Server IP Address too.

Still facing same error

tusharnemade · May 12, 2021, 10:01am

Also in here if you check
* NSS: client certificate not found (nickname not specified)

curl -v https://10.10.10.01:9300 -key /mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12  -cacert /mnt/elasticsearch-7.8.0/config/certs/elastic-stack-ca.p12 -cert /mnt/elasticsearch-7.8.0/config/certs/elastic-certificates.p12
* About to connect() to 10.10.10.01 port 9300 (#0)
*   Trying 10.10.10.01...
* Connected to 10.10.10.01 (10.10.10.01) port 9300 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)
* SSL peer cannot verify your certificate.
* Closing connection 0
curl: (58) NSS: client certificate not found (nickname not specified)
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed
* <url> malformed
* Closing connection -1
curl: (3) <url> malformed

While using elasticsearch-certutil cert

do i need to use any option for CLIENT one ?

As stated earlier , I have included Goldengate [ Client ] IP Address while creating certificate.

Its Either Certificate or some parameter settings mistaken at Client side...

Could you please help me in this ...

tusharnemade · May 13, 2021, 7:52am

Now I am getting below Error :

java.lang.RuntimeException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager]; nested: CertificateParsingException[signed fields invalid];

I added new parameter :

xpack.security.transport.ssl.certificate_authorities=/mnt/elasticsearch-7.8.0/config/certs/elastic-stack-ca.p12

system · June 10, 2021, 7:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.