Server certificate CA fingerprint does not match the value configured in caFingerprint

Hey,

I'm using Elasticsearch with a Javascript proxy, almost exactly the same as the example provided here: https://github.com/elastic/elasticsearch-js.

We have a few proxies around the world and three servers in our cluster, one master server and two data nodes which I'm self-hosting. We've been testing it for a couple of weeks while we prepare to launch the search on our website... so we know everything is set up properly with the cluster and security certificates. However we randomly get this error from the server which we are having a lot of trouble understanding.

{
    "error": "ConnectionError",
    "message": "Server certificate CA fingerprint does not match the value configured in caFingerprint",
}

And we are connecting with the Javascript client like this:

const { Client } = require('@elastic/elasticsearch')
const client = new Client({
  node: 'https://example.com'
  auth: { ... },
  // the fingerprint (SHA256) of the CA certificate that is used to sign
  // the certificate that the Elasticsearch node presents for TLS.
  caFingerprint: '20:0D:CA:FA:76:...',
  tls: {
    // might be required if it's a self-signed certificate
    rejectUnauthorized: false
  }
})

However the problem is not specifically how we connect, since it works 95% of the time, and then randomly it throws this error in the logs and stops working, and we are having trouble figuring out why? Is it the Javascript proxy that's going to sleep and losing the CA Fingerprint env variable?

It stopped working on our Azure server-less function so I upgraded to always-on NodeJS servers but we're still getting the error... Is the cluster forgetting to check the CA Fingerprint or calculating it incorrectly sometimes?

We calculate the CA Fingerprint as suggested in the docs:

openssl x509 -fingerprint -sha256 -noout -in /path/to/elastic-stack-ca.crt.pem

However I also found that sometimes on localhost that fingerprint doesn't work and I need to calculate it differently:

# Replace the values of 'localhost' and '9200' to the
# corresponding host and port values for the cluster.
openssl s_client -connect localhost:9200 -servername localhost -showcerts </dev/null 2>/dev/null \
  | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

This command generates a different fingerprint that works instead, so is the server changing the way it calculates the fingerprint sometimes and why are they different fingerprints?

You can see these two methods in the official docs.

These show different fingerprints and it seems like the first method is using our custom elastic-stack-ca.crt.pem while the second one is using the http_ca.crt key... but we don't use the http_ca.crt key anywhere in our elasticsearch.yml file:

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
  certificate_authorities: [
        certs/elastic-stack-ca.crt.pem
  ]

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/elastic-certificates.p12
  truststore.path: certs/elastic-certificates.p12

We are currently using Elasticsearch 8.2.0.

Any ideas what could be going wrong or how we can figure this out?

It seems that at least one of your nodes in the cluster has a different configuration than the one that you share above. This would explain why you get this error once in a while ( when the client connects to that node ) and why

openssl x509 -fingerprint -sha256 -noout -in /path/to/elastic-stack-ca.crt.pem

and

openssl s_client -connect localhost:9200 -servername localhost -showcerts </dev/null 2>/dev/null | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

give different results. The former gives you the fingerprint of the elastic-stack-ca.crt.pem Certificate, but the latter gives you the fingerprint of the CA that has actually signed the certificate that is being used in that node, which is different

That could be the case... at the moment we are only using one elastic URL per proxy and set it up to connect users to the closest proxy geographically... so it's likely going to connect me to the same elastic node each time, but thanks for clarifying the difference in the two methods to generate the fingerprint... that might help.

It's happening on my local development proxy too which I connect to only one elastic node, and it works on startup but when I leave it for a while and come back in a couple hours and test it again, it throws this error.

I'm going to do some investigating and see if it is one of the servers is configured incorrectly with it's security certs and report back if I make any progress in debugging this or if that resolve it.

That sounds strange though... Could it be that there is something ( a script, a provisioning tool, a configuration management tool, some other orchestration tooling ) that overwrites the configuration of a node at a certain time of the node lifecycle ?

I've set it up exactly as the Debian docs suggest, which is why it's confusing... but I can try re-generate the certificates today and check each server individually to see if it was a configuration error.

I just ran into this problem again though. I went to get breakfast and when I came back it gave me the same error...

This was a successful response at 08:45:41 GMT

Screenshot 2022-05-16 at 11.08.201085×409 93.5 KB

This failing request was at 09:06:19 GMT, so only ~20 minutes later and nothing I can think of changed in between:

Screenshot 2022-05-16 at 11.08.061081×411 93.5 KB

I can also refresh the page and it throws the same error. When I refresh the page it does a health-check and says the elastic cluster is alive.

 return await this.client.cluster.health({}, {
            headers: {
                Authorization: `ApiKey ${params.token}`
            },
            meta: true
        }).then(() => { ... })

But this time I tried restarting the proxy servers and then it started working again... and there's nothing in the logs between 8am and 9am that said something changed with the servers though.

I have the same issue

Details are here Server certificate CA fingerprint does not match the value configured in caFingerprint · Issue #1699 · elastic/elasticsearch-js · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.