SSL between elasticsearch nodes fails

gmachado · November 24, 2016, 9:36am

I've deployed a 3 nodes elasticsearch 5.0 cluster and the x-pack 5.0 plugin.

I've created 3 ssl certificates client-server with the same CA and added this lines elasticsearch.yml file :

xpack.ssl.key: /etc/elasticsearch/x-pack/cert.key
xpack.ssl.certificate: /etc/elasticsearch/x-pack/cert.crt
xpack.ssl.certificate_authorities: [ "/etc/elasticsearch/x-pack/ca.crt" ]
xpack.security.transport.ssl.enabled: true

When i start elasticsearch, i have the following error :

Caused by: sun.security.validator.ValidatorException: Extended key usage does not permit use for TLS client authentication
	at sun.security.validator.EndEntityChecker.checkTLSClient(EndEntityChecker.java:233) ~[?:?]
	at sun.security.validator.EndEntityChecker.check(EndEntityChecker.java:143) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[?:?]
	at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkClientTrusted(SSLService.java:539) ~[?:?]
	at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1898) ~[?:?]
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:232) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[?:?]
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[?:?]
	at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_112]
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1120) ~[?:?]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1005) ~[?:?]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:900) ~[?:?]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[?:?]
	... 15 more

elasticsearch says my certificate is not a client-server certificate, but openssl confirms it is a client-server certificate :
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
68:84:43:13:0E:E0:C9:81:AF:BE:B8:7F:88:32:FF:00:1C:F2:3A:D4
X509v3 Authority Key Identifier:
keyid:35:3B:F2:AB:63:5D:B3:8D:22:ED:CA:AB:E1:19:B4:C0:8C:46:DE:FE

Can you help me ?

gmachado · November 24, 2016, 10:45am

Problem solved

One certificate node was just a server certificate. I replaced it and the cluster started normally.

cjcenizal · December 2, 2016, 12:03am

Glad you were able to figure it out! Thanks for posting your solution.

CJ

system · December 30, 2016, 12:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL between elastic nodes is failing Elasticsearch	4	12545	August 3, 2017
ElasticSearch with SSL? Elasticsearch elastic-stack-security	12	21818	November 28, 2019
Elasticsearch failed start when enable x-pack security Elasticsearch elastic-stack-security	13	2435	April 29, 2022
Elasticsearch SSL Certificate Invalid Elasticsearch elastic-stack-security	1	1203	September 8, 2020
Settings SSL/TLS with xpack Elasticsearch	6	866	May 10, 2018

SSL between elasticsearch nodes fails

Related topics