I've deployed a 3 nodes elasticsearch 5.0 cluster and the x-pack 5.0 plugin.
I've created 3 ssl certificates client-server with the same CA and added this lines elasticsearch.yml file :
- xpack.ssl.key: /etc/elasticsearch/x-pack/cert.key
- xpack.ssl.certificate: /etc/elasticsearch/x-pack/cert.crt
- xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca.crt" ]
- xpack.security.transport.ssl.enabled: true
When i start elasticsearch, i have the following error :
Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]
at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]
at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkClientTrusted(SSLService.java:539) ~[?:?]
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1898) ~[?:?]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1120) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1005) ~[?:?]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) ~[?:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
... 15 more
elasticsearch says my certificate is not a client-server certificate, but openssl confirms it is a client-server certificate :
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
68:84:43:13:0E:E0:C9:81:AF:BE:B8:7F:88:32:FF:00:1C:F2:3A:D4
X509v3 Authority Key Identifier:
keyid:35:3B:F2:AB:63:5D:B3:8D:22:ED:CA:AB:E1:19:B4:C0:8C:46:DE:FE
Can you help me ?