SSL between elasticsearch nodes fails


#1

I've deployed a 3 nodes elasticsearch 5.0 cluster and the x-pack 5.0 plugin.

I've created 3 ssl certificates client-server with the same CA and added this lines elasticsearch.yml file :

  • xpack.ssl.key: /etc/elasticsearch/x-pack/cert.key
  • xpack.ssl.certificate: /etc/elasticsearch/x-pack/cert.crt
  • xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca.crt" ]
  • xpack.security.transport.ssl.enabled: true

When i start elasticsearch, i have the following error :

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
	at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]
	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkClientTrusted(SSLService.java:539) ~[?:?]
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1898) ~[?:?]
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1120) ~[?:?]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1005) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
	... 15 more

elasticsearch says my certificate is not a client-server certificate, but openssl confirms it is a client-server certificate :
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
68:84:43:13:0E:E0:C9:81:AF:BE:B8:7F:88:32:FF:00:1C:F2:3A:D4
X509v3 Authority Key Identifier:
keyid:35:3B:F2:AB:63:5D:B3:8D:22:ED:CA:AB:E1:19:B4:C0:8C:46:DE:FE

Can you help me ?


#2

Problem solved :slight_smile:

One certificate node was just a server certificate. I replaced it and the cluster started normally.


(CJ Cenizal) #3

Glad you were able to figure it out! Thanks for posting your solution.

CJ


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.