SSL password not working

I had a elasticsearch instance on my linux server. I didn't setup any cluster or node in the elasticsearch.yml file. I had setup SSL for the server and setup a username and password for authentication. It was all working fine.

Then I tried to make this node a part of another ES cluster for some testing purpose. Added the cluster and node and just commented the SSL properties for easily connecting the with the cluster. After my testing, i commented out all the extra fields i added on elasticsearch.yml and uncommented the ssl configurations. But now any ES request to that server is throwing a security exception

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "unable to authenticate user [elastic] for REST request [/_cat/shards?h=index,shard,prirep,state,unassigned.reason]",
                "header": {
                    "WWW-Authenticate": [
                        "Bearer realm=\"security\"",
                        "ApiKey",
                        "Basic realm=\"security\" charset=\"UTF-8\""
                    ]
                }
            }
        ],
        "type": "security_exception",
        "reason": "unable to authenticate user [elastic] for REST request [/_cat/shards?h=index,shard,prirep,state,unassigned.reason]",
        "header": {
            "WWW-Authenticate": [
                "Bearer realm=\"security\"",
                "ApiKey",
                "Basic realm=\"security\" charset=\"UTF-8\""
            ]
        }
    },
    "status": 401
}

I'm using the same username and password we were using before.

I tried to change password using command

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Then the result is

[main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [10.130.152.{IP}]; the server provided a certificate with subject name [CN=*********] and fingerprint [****************************************]; the certificate has subject alternative names [DNS:***********.unix.gsm1900.org]; the certificate is issued by [CN=Elastic Certificate Tool Autogenerated CA] but the server did not provide a copy of the issuing certificate in the certificate chain; the issuing certificate with fingerprint [****************************************] is trusted in this ssl context ([xpack.security.http.ssl])
java.security.cert.CertificateException: No subject alternative names matching IP address 10.130.152.{IP} found
        at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165) ~[?:?]
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:238) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:90) [elasticsearch-ssl-config-7.10.1.jar:7.10.1]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) [?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) [?:?]
        at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) [?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) [?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) [?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) [?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:199) [?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) [?:?]
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1488) [?:?]
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1394) [?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441) [?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412) [?:?]
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567) [?:?]
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183) [?:?]
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142) [?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.lambda$doPrivileged$0(SocketAccess.java:42) [x-pack-core-7.10.1.jar:7.10.1]
        at java.security.AccessController.doPrivileged(AccessController.java:554) [?:?]
        at org.elasticsearch.xpack.core.common.socket.SocketAccess.doPrivileged(SocketAccess.java:41) [x-pack-core-7.10.1.jar:7.10.1]
        at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.execute(CommandLineHttpClient.java:109) [x-pack-security-7.10.1.jar:7.10.1]
        at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:307) [x-pack-security-7.10.1.jar:7.10.1]
        at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$InteractiveSetup.execute(SetupPasswordTool.java:184) [x-pack-security-7.10.1.jar:7.10.1]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.10.1.jar:7.10.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.10.1.jar:7.10.1]
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:91) [elasticsearch-cli-7.10.1.jar:7.10.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) [elasticsearch-cli-7.10.1.jar:7.10.1]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.10.1.jar:7.10.1]
        at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:116) [x-pack-security-7.10.1.jar:7.10.1]

SSL connection to https://10.130.152.{IP}:9200/_security/_authenticate?pretty failed: No subject alternative names matching IP address 10.130.152.{IP} found
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

ERROR: Failed to establish SSL connection to elasticsearch at https://10.130.152.{IP}:9200/_security/_authenticate?pretty

I also tried this command
curl -u elastic 'https://{address}:9200/_xpack/security/_authenticate?pretty'

got,

More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.