SSL between elasticsearch nodes fails

I've deployed a 3 nodes elasticsearch 5.0 cluster and the x-pack 5.0 plugin.

I've created 3 ssl certificates client-server with the same CA and added this lines elasticsearch.yml file :

  • xpack.ssl.key: /etc/elasticsearch/x-pack/cert.key
  • xpack.ssl.certificate: /etc/elasticsearch/x-pack/cert.crt
  • xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca.crt" ]
  • xpack.security.transport.ssl.enabled: true

When i start elasticsearch, i have the following error :

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
	at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]
	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkClientTrusted(SSLService.java:539) ~[?:?]
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1898) ~[?:?]
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1120) ~[?:?]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1005) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
	... 15 more

elasticsearch says my certificate is not a client-server certificate, but openssl confirms it is a client-server certificate :
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
68:84:43:13:0E:E0:C9:81:AF:BE:B8:7F:88:32:FF:00:1C:F2:3A:D4
X509v3 Authority Key Identifier:
keyid:35:3B:F2:AB:63:5D:B3:8D:22:ED:CA:AB:E1:19:B4:C0:8C:46:DE:FE

Can you help me ?

Problem solved :slight_smile:

One certificate node was just a server certificate. I replaced it and the cluster started normally.

1 Like

Glad you were able to figure it out! Thanks for posting your solution.

CJ

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.