SSL Communication Client and Cluster Error


(Aj Vignesh) #1

I have a cluster with 2 nodes one master and one data.
Elastic with x-pack has been installed.
Authentication LDAP is setup
Internode communication has been encrypted, which is again successful.

Successful:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/bin/x-pack/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/bin/x-pack/elastic-certificates.p12

Unsuccessful: [SSL configuration between HTTP client [browser] and cluster]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/bin/x-pack/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/bin/x-pack/elastic-certificates.p12

On restarting both the nodes, I don’t see any error --- but when I try https://XX.XX.XXX.XXX:9200 I get the below screen.


(Yogesh Gaikwad) #2

Hi Aj Vignesh,

I assume you are using certificates generated by using certutil script. By default, these are the self-signed certificate, auto-generated CA certificates. This is the reason for the error in the browser. By default browser do not trust these.

In production environments, you would use a certificate which is signed by a public trusted CAs like Symantec, Verisign, Thwate etc. or you could install the CA certificate in the browser that you trust.
certutil allows you to generate csr (certificate signing request) and then you can get the signed certificate from above mentioned trusted CAs.

Refer for more info:

~
Yogesh


(Abisheik) #3

Thanks, After setting up the below configuration:

Note: Trusted CA was generated in base 64 encoded .cer file and i converted to crt format.

xpack.ssl.key: /usr/share/elasticsearch/bin/x-pack/certificate.demo.key
xpack.ssl.certificate: /usr/share/elasticsearch/bin/x-pack/certificate.crt
xpack.ssl.certificate_authorities: [ "/usr/share/elasticsearch/bin/x-pack/certificateca.crt" ]

xpack.security.http.ssl.enabled: true

and then restarting the node i get the below issue..

[2018-02-21T06:48:57,126][ERROR][o.e.b.Bootstrap ] Exception
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.XPackPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:452) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:392) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:142) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.node.Node.(Node.java:302) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.node.Node.(Node.java:245) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:322) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:112) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-6.1.1.jar:6.1.1]
at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-6.1.1.jar:6.1.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:85) [elasticsearch-6.1.1.jar:6.1.1]
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_121]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:443) ~[elasticsearch-6.1.1.jar:6.1.1]
... 14 more


(Yogesh Gaikwad) #4

Hi Aby,

I hope your installation of x-pack was successful.
Could you please post your output for <ES-Home>/bin/elasticsearch-plugin list -v?
Also please check if you see any root cause exception in your exception stack trace and share that.

~
Yogesh


(Tim Vernum) #5

Is there any more to this error message?
It looks like a misconfiguration in your X-Pack settings, but the key part of the error message is missing.


(Abisheik) #6

Hi Yogesh - yes the X-pack installation is successful.

There was an issue with the trusted certificate generated and the format.

After the successful generation of the right certificate and configuration, the issue is resolved.


(Abisheik) #7

Hi Tim - yes the X-pack installation is successful.

There was an issue with the trusted certificate generated and the format.

After the successful generation of the right certificate and configuration.

Moreover, certificate was generated on the hostname and i was using the ipaddress, the issue is resolved now. Thanks


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.