Set authentification on elasticsearch using ansible

smutel · September 14, 2020, 4:25pm

Hello,

I would like to setup TLS and basic authentification for elasticsearch 6.8.

To deploy elasticsearch I used the official ansible playbook.
I followed also this documentation: https://github.com/elastic/ansible-elasticsearch/blob/master/docs/ssl-tls-setup.md.

It seems that the TLS is correctly setup but not the authentication.
When I go to the https://elasticsearch:9200 url, an authentication popup appears.
But when I enter the login and password, the popup appears again and again.

How to troubleshoot this issue ?

Thanks.

Julien_MAILLERET · September 16, 2020, 7:08am

Hi @smutel,
Can you provide your Ansible playbook and logs so we can investigate?

smutel · September 18, 2020, 1:16pm

Here is the ansible configuration I added to activate the authentication:

es_api_basic_auth_username: admin                                                                   
es_api_basic_auth_password: "{{ vault_es_api_basic_auth_password }}"                                
es_enable_http_ssl: true                                                                            
es_enable_transport_ssl: true                                                                       
es_ssl_key: "{{ deploy_key_path }}/cert.key"                                                    
es_ssl_certificate: "{{ deploy_key_path }}/cert.crt"                                            
es_ssl_certificate_authority: "{{ deploy_key_path }}/root-ca.crt"                        
es_validate_certs: no                                                                               
es_ssl_upload: false

Here is my configuration for my controller nodes:

# ext-elasticsearch configuration                                                                   
es_config:                                                                                          
  node.name: "{{ ansible_fqdn }}"                                                                   
  cluster.name: "elasticsearch-infra-integ-01"                                                      
  discovery.zen.ping.unicast.hosts: "{{ es_cluster_members }}"                                      
  discovery.zen.minimum_master_nodes: 3                                                             
  http.port: 9200                                                                                   
  transport.port: 9300                                                                              
  node.data: false                                                                                  
  node.master: true                                                                                 
  bootstrap.memory_lock: true                                                                       
  network.host: 0.0.0.0                                                                             
  xpack.security.authc.realms.file.type: "file"                                                     
  xpack.security.authc.realms.file.order: 0                                                         
  xpack.security.authc.realms.native.type: "native"                                                 
  xpack.security.authc.realms.native.order: 1

Here is my configuration for my data nodes:

# ext-elasticsearch configuration                                                                   
es_config:                                                                                          
  node.name: "{{ ansible_fqdn }}"                                                                   
  cluster.name: "elasticsearch-infra-integ-01"                                                      
  discovery.zen.ping.unicast.hosts: "{{ es_cluster_members }}"                                      
  discovery.zen.minimum_master_nodes: 3                                                             
  http.port: 9200                                                                                   
  transport.port: 9300                                                                              
  node.data: true                                                                                   
  node.master: true                                                                                 
  bootstrap.memory_lock: true                                                                       
  network.host: 0.0.0.0                                                                             
  xpack.security.authc.realms.file.type: "file"                                                     
  xpack.security.authc.realms.file.order: 0                                                         
  xpack.security.authc.realms.native.type: "native"                                                 
  xpack.security.authc.realms.native.order: 1

The error is mainly this one:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

smutel · September 22, 2020, 2:01pm

So I changed a little bit my certs. Instead of using a wildcard cert generated with openssl, I generated one cert for each server with the command below:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert -ca-cert /usr/local/share/ca-certificates/xxxxxx-intermediate-ca.crt -ca-key /etc/ssl/private/xxxxxx.in.key --pem --multiple --in /tmp/instance.yml -out /tmp/certs.zip

I sent the certs and the key on each nodes.
Now I have a SEC_ERROR_BAD_SIGNATURE in my web browser and this error in logs:

Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

I already added the CA in the /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts with keytool command.

What is missing ?

Albert_Zaharovits · September 29, 2020, 2:30pm

Hi @smutel,

I believe the issue you've got is similar to ES 7.8 X-Pack not returning whole cert chain root ca, intermediate and server cert .
You need to concatenate all the cert chain in a single pem file, and set xpack.security.http.ssl.certificate to it.

smutel · September 30, 2020, 1:41pm

Hello,

I tried different options but I didn't find the good one to setup my ELK cluster correctly.
I still have the issue below:

Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a KeyManagerFactory
Caused by: java.security.KeyStoreException: Key protection  algorithm not found: java.security.KeyStoreException: Certificate chain is not valid
Caused by: java.security.KeyStoreException: Certificate chain is not valid

Is-it possible to generate cert with elasticsearch-certutil and intermediate cert ? Or I need to use a root CA ?

In the cert file, I tried:

The cert only
The cert + the intermediate CA
The cert + the intermediate CA + the root CA
The root CA + the intermediate CA + the cert

Nothing is working.

system · October 28, 2020, 1:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.