SSL - "no cipher suites in common"

CamHart · April 18, 2016, 5:09pm

I'm relatively new to setting up SSL. I have my jks keystore file (generated using letsencrypt--see below).

sudo su yum install git git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory certonly -d my.domain.name -v --debug cd /etc/elasticsearch/shield keytool -importcert -keystore myTest.jks -file /etc/letsencrypt/live/my.domain.name/fullchain.pem -alias myTest

Then I setup SSL in my elasticsearch.yml file like so:

... network.host: my.domain.name shield.ssl.keystore.path: path/to/myTest.jks shield.ssl.keystore.password: superCoolPassword shield.ssl.keystore.key_password: superCoolPassword shield.transport.ssl: true shield.http.ssl: true shield.ssl.ciphers: ["TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA"]
Note: I should mention, in order to get elasticsearch to bind, I've set my hosts file to direct from my.domain.name to my ip address.

My log:

[2016-04-18 15:26:44,421][WARN ][shield.transport.netty ] [hybrid-0] Caught exception while handling client http traffic, closing connection [id: 0xfbe6e53b, /69.199.209.6:4367 => /172.31.39.221:9200] javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218) at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:852) at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791) at org.jboss.netty.handler.ipfilter.IpFilteringHandlerImpl.handleUpstream(IpFilteringHandlerImpl.java:154) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292) at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1035) at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738) at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) at org.jboss.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1392) at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1255) ... 21 more

jaymode · April 18, 2016, 7:10pm

I am not familiar with lets encrypt but my first guess would be that you are missing a key in your keystore since it looks like you only imported a certificate. If you do a keytool -list -keystore myTest.jks, do you have a privateKeyEntry?

CamHart · April 18, 2016, 8:50pm

You are exactly right--my private key was missing. And here are the steps I found to fix it. If you have better ones please feel free to provide.