Reusing certs b/w http & transport xpack security settings

vee · May 17, 2023, 6:59pm

Hi - am trying to reuse the same certs for http & transport xpack security settings in elasticsearch.yml. Currently, http settings use company signed, transport xpack settings use elasticsearch signed certs. Tried to use the below settings, but when restarted one of the master nodes - I see elastic up and running. However, can't authenticate using elastic id when accessed 8200 port - says, "unable to authenticate user [elastic] for REST request [/]" from postman.

#Transport later encryption
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.certificate: /pathToCerts/all_vms_SAN.cer
xpack.security.transport.ssl.key: /pathToCerts/all_vms_SAN.cer_key.pem
xpack.security.transport.ssl.certificate_authorities: /pathToCerts/Company_Root.crt

#HTTP Client encryption
xpack.security.http.ssl.enabled: true
xpack.http.ssl.verification_mode: certificate
xpack.security.http.ssl.certificate: /pathToCerts/all_vms_SAN.cer
xpack.security.http.ssl.key: /pathToCerts/all_vms_SAN_key.pem

When restarted, am seeing these errors in logs (which I expect because not all nodes are trusting the Company signed authority yet), but does that also not authenticate against the local elastic instance using elastic id/pwd?

failed to establish trust with server at [<unknown host>]; the server provid       ed a certificate with subject name [CN=master02] and fingerprint [26d5f09d206b5532d5c6b3aa492f6da99e5eb420]; the certificate has subject alternative nam       es [DNS:server2,IP:xxxx]; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA]; the certificate is signe       d by (subject [CN=Elastic Certificate Tool Autogenerated CA] fingerprint [4e38ca3320e9a03416303e4c1500e5a47aab1f79]) which is self-issued; the [CN=Elastic        Certificate Tool Autogenerated CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl])
...
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificat       ion path to requested target
...
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE       xception: unable to find valid certification path to requested target

I'm also trying to make this adjustment without having to take a full cluster down, if possible.

Thanks for your time!

vee · May 18, 2023, 2:26pm

Any response here from Elastic experts please?

Yang_Wang · May 22, 2023, 1:13am

Since nodes cannot talk to each other yet (due to SSL error), the cluster has not formed yet. In that case, you need to fix cluster formation first before trying to authenticate with elastic.

You said

http settings use company signed, transport xpack settings use elasticsearch signed certs.

I assume this was the previous working setup since it does not match the configuration you shared which uses same key/cert for both HTTP and Transport. There might be a reason that you wanted to share the same SSL materials between HTTP and Transport. But we generally recommend keeping them separate.

I'm also trying to make this adjustment without having to take a full cluster down, if possible.

Based on what you have so far, it is probably easier to have full cluster restart. In the future, for rolling upgrade, it is recommended to start with data nodes and finish with master nodes.

system · June 19, 2023, 1:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.