TLS/SSL enabled cluster , SSL is working TSL not working with p12 cert password protected

security

(Rijin) #1

Hi All ,

My ES Cluster is 3 maser and 2 data nodes.
In my elastic and kibana conf
when i am using SSL conf only its working.
i can connect from kibana to ES data node with url http://ip:9200
In the same conf if I am enabling TLS , its not working .... error logs showing.
my p12 certificates are protected with passwords . Given by my company.
CA in pem format.

 ES Conf:

xpack.security.transport.ssl.certificate_authorities:
["/etc/elasticsearch/certs/xyz_Internal_Issuing_CA_2_G2.pem","/etc/elasticsearch/
certs/xyz_Internal_Root_CA_G2.pem"]
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/nodename.p12
xpack.security.transport.ssl.keystore.password: sffsdfsdg
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/nodename.p12
xpack.security.http.ssl.keystore.password: sffsdfsdg

Kibana: Conf

server.ssl.enabled: true
elasticsearch.ssl.verificationMode: certificate
server.ssl.certificate: /etc/kibana/certs/79f2ef47dc8494d53bc13f5a285b5f60.crt
server.ssl.key: /etc/kibana/certs/79f2ef47dc8494d53bc13f5a285b5f60.key
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/xyz_Internal_Issuing_CA_2_G2.pem","/etc/kibana/certs/xyz_Internal_Root_CA_G2.pem"]

ES Log:

[2018-11-23T03:06:52,891][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [gbriceedts01.corp.internal] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/10.142.1.110:35870}
[2018-11-23T03:06:53,300][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [gbriceedts01.corp.internal] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/10.142.1.109:47844}
[2018-11-23T03:06:53,306][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [gbriceedts01.corp.internal] client did not trust this server's certificate, closing connection NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/10.142.1.111:40458}
[2018-11-23T03:06:53,517][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [gbriceedts01.corp.internal] exception caught on transport layer [NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:41906, remoteAddress=/10.142.1.111:9300}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)


.p12 certificate don't have Certificate Authority
(Magnus Kessler) #2

Typically P12 formatted certificates contain the entire certificate chain, and no ssl.certificate_authorities configuration is needed. Please ensure that all intermediate certificates are contained in the certificate file.

To check, run:

openssl s_client -connect elasticsearch-host-or-ip:9200

If the P12 files already contain the root CA you can replace the ssl.certificate_authorities setting with a ssl.truststore.path setting.


(Rijin) #3

Hi @Magnus_Kessler ,

Thanks for your reply .

The output is mentioning below. Is there any wrong info ?

Some Informations are edited die to privacy and security /

? CONNECTED(00000003)
depth=0 C = UK, ST = Surrey, L = sdssds, O = Company name, OU = ICE, CN = nodename
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = UK, ST = Surrey, L = Weybridge, O = Companyname , OU = ICE, CN = node.name
verify error:num=21:unable to verify the first certificate
verify return:1


/Certificate chain
0 s:/C=UK/ST=Surrey/L=Wioijojojj/O=companyname /OU=ICE/CN=nodename
i:/C=UK/ST=Surrey/L=eeeeee/O=yyyyyyyy/OU=PKI/CN=WBA Internal Issuing CA 2 G2


/Server certificate
-----BEGIN CERTIFICATE-----
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-----END CERTIFICATE-----
subject=/C=UK/ST=Surrey/L=yy/O=yyy
Alliance/OU=ICE/CN=nodename
issuer=/C=UK/ST=Surrey/L=hkjkje/O=cpmpanyname
/OU=PKI/CN=WBA Internal Issuing CA 2 G2


/No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits


/SSL handshake has read 2285 bytes and written 471 bytes


New, TLSv1/SSLv3, Cipher is ECfgggjkk
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : hhhhhhhhh
Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Session-ID-ctx:
Master-Key: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1542985677
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)


(Magnus Kessler) #4

Thanks for running that test. So it appears that your Elasticsearch instance successfully starts up a SSL/TLS connection.

To help me understand the issue better, could you please post the configuration changes you are trying to enable TLS? Are you talking about this setting?

xpack.ssl.supported_protocols: TLSv1.2

Or is this related to having the java client use TLS when connecting to the server? If it is the latter, you need to configure the client with the certificate authority, too. See the documentation for more details.


(Rijin) #5

Not enabled this: xpack.ssl.supported_protocols: TLSv1.2

If I am enabling only this :slight_smile:
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certs/gbricemtrs01.corp.internal.p12
xpack.security.http.ssl.keystore.password: d5520a5d81b7f669

Then I can connect from kibana by http:elastic-ip:9200

If I am enabling :slight_smile:
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/nodename.p12
xpack.security.transport.ssl.keystore.password: sffsdfsdg

Then kibana cant connect: tried https://elastic-ip:9200


(Magnus Kessler) #6

Please try the following setting and restart the Elasticsearch nodes. It turns TLS verification off at the transport layer. I'd like to check if your issue is related to cluster nodes not being able to talk to each other internally.

xpack.security.transport.ssl.verification_mode: none


How configure .p12 certificate in Elasticsearch TLS/SSL?
(Tim Vernum) #7

Can you explain what you mean here? For all practical purposes within Elasticsearch SSL and TLS are the same thing. They just refer to different versions of the protocol (SSL is the name of older versions, and TLS is the name of the newer versions), but I don't think that is what you mean here.

Based on your later responses I think you might perhaps be refering to the difference in enabling SSL/TLS for Elasticsearch's transport and http ports ?
That's definitely not a SSL and TLS thing, that's http and transport.
The "transport" in the Elasticsearch configuration refers to Elasticsearch's internal network protocol, it has nothing to do with the "transport" in TLS.

Are those the IP addresses of the nodes in your cluster, or something outside of your cluster?
The solution will vary greatly depending on whether you're having an issue with communication between nodes, or from transport client.

This unfortunately not true.
Most corporate and commercially provide PKCS#12 files will only contain key entries, and not trust chain entries.
If the P12 was provided by your company, then there's a reasonably chance that the certificate_authorities setting is required.

There's almost certainly more to this error message. Can you provide the rest of it - the important part comes after this (I suspect it's going to be PKIX path building failed: ....)

I don't think this is actually an accurate description of what's going on.
When you enable SSL/TLS for the http port, everything is working.
When you enable SSL/TLS for the transport port, you are actually breaking your cluster (because the nodes cannot communicate with one another) and so Kibana doesn't work because the cluster is broken, not because it cannot connect.

Do you have actual evidence that it cannot connect, or only that it is showing an error.

Please, please, please provide actual copy-and-paste of error messages and log files, and don't just guess about what's going on. The types of posts that are most likely to get you answers quickly, are ones that follow a model something like:

When I have this configuration [ .... ] then everything works. But when I try this configuration [ .... ] then I get this error message [ .... ] in Kibana, and my kibana logs say this [ .... ] and my elasticsearch logs say this [ ... ]


(Rijin) #8

Hi ,

When I am checked my .p12 certificate , Certificate authority is blank. Is this make any issue?


(Rijin) #9

My Kibana Conf:

server.ssl.enabled: true
elasticsearch.ssl.verificationMode: certificate
server.ssl.certificate: /etc/kibana/certs/xxxxxx.crt
server.ssl.key: /etc/kibana/certs/xxxxx.key
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/CA1.pem","/etc/kibana/certs/CA2.pem"]

When I am changed elasticsearch.ssl.verificationMode: certificate to none.

Its working .

When using certificate ... cant connect.


(Tim Vernum) #10

There are a bunch of questions in my previous post that you haven't answered.
If you still need help with this, then you're going to need to provide the information we've asked for.


(Rijin) #11

Kibana Log:

[07:12:50.416] [info][status][plugin:kibana@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.458] [info][status][plugin:elasticsearch@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.462] [info][status][plugin:xpack_main@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.466] [info][status][plugin:searchprofiler@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.470] [info][status][plugin:ml@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.514] [info][status][plugin:tilemap@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.515] [info][status][plugin:watcher@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.530] [info][status][plugin:license_management@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.532] [info][status][plugin:index_management@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.663] [info][status][plugin:timelion@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.665] [info][status][plugin:graph@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.674] [info][status][plugin:monitoring@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.677] [warning][security] Generating a random key for xpack.security.encryptionKey. To prevent sessions from being invalidated on restart, please set xpack.security.encryptionKey in kibana.yml
log [07:12:50.695] [info][status][plugin:security@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.716] [info][status][plugin:grokdebugger@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.721] [info][status][plugin:dashboard_mode@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.724] [info][status][plugin:logstash@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:50.740] [info][status][plugin:apm@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.746] [info][status][plugin:console@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.747] [info][status][plugin:console_extensions@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:50.750] [info][status][plugin:notifications@6.4.2] Status changed from uninitialized to green - Ready


(Rijin) #12

log [07:12:50.753] [info][status][plugin:metrics@6.4.2] Status changed from uninitialized to green - Ready
log [07:12:51.172] [warning][reporting] Generating a random key for xpack.reporting.encryptionKey. To prevent pending reports from failing on restart, please set xpack.reporting.encryptionKey in kibana.yml
log [07:12:51.174] [info][status][plugin:reporting@6.4.2] Status changed from uninitialized to yellow - Waiting for Elasticsearch
log [07:12:51.225] [info][listening][server][http] Server running at https:///es_nodename:5601
log [07:12:51.241] [error][admin][elasticsearch] Request error, retrying
HEAD https:///es_nodename:9200/ => unable to verify the first certificate
log [07:12:51.245] [error][admin][elasticsearch] Request error, retrying
HEAD https:///es_nodename:9200/ => unable to verify the first certificate
log [07:12:51.266] [warning][admin][elasticsearch] Unable to revive connection: https:///es_nodename:9200/
log [07:12:51.266] [warning][admin][elasticsearch] No living connections
log [07:12:51.269] [warning][admin][elasticsearch] Unable to revive connection: https:///es_nodename:9200/
log [07:12:51.270] [warning][admin][elasticsearch] No living connections
log [07:12:51.271] [error][status][plugin:xpack_main@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https://es_nodename:9200/.
log [07:12:51.271] [error][status][plugin:searchprofiler@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.272] [error][status][plugin:ml@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.272] [error][status][plugin:tilemap@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.273] [error][status][plugin:watcher@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.273] [error][status][plugin:index_management@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.274] [error][status][plugin:graph@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.274] [error][status][plugin:security@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodenamel:9200/.
log [07:12:51.275] [error][status][plugin:grokdebugger@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.275] [error][status][plugin:logstash@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.276] [error][status][plugin:reporting@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.276] [error][status][plugin:elasticsearch@6.4.2] Status changed from yellow to red - Unable to connect to Elasticsearch at https:///es_nodename:9200/.
log [07:12:51.301] [error][data][elasticsearch] Request error, retrying
GET https:///es_nodename:9200/_xpack => unable to verify the first certificate
log [07:12:51.321] [warning][data][elasticsearch] Unable to revive connection: https:///es_nodename:9200/
log [07:12:51.321] [warning][data][elasticsearch] No living connections
log [07:12:51.322] [warning][license][xpack] License information from the X-Pack plugin could not be obtained from Elasticsearch for the [data] cluster. Error: No Living connections
log [07:12:51.323] [error][status][plugin:xpack_main@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.323] [error][status][plugin:searchprofiler@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.324] [error][status][plugin:ml@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.324] [error][status][plugin:tilemap@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.325] [error][status][plugin:watcher@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.325] [error][status][plugin:index_management@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.326] [error][status][plugin:graph@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.326] [error][status][plugin:security@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.327] [error][status][plugin:grokdebugger@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.327] [error][status][plugin:logstash@6.4.2] Status changed from red to red - No Living connections
log [07:12:51.328] [error][status][plugin:reporting@6.4.2] Status changed from red to red - No Living connections
^C


(Rijin) #13

ES Log:

No changes happening ... remains same

  • Stopping/Deleting existing jobs, RollupCaps API and RollupSearch continue to function.
    [2018-11-27T07:04:36,420][INFO ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [es_nodename] publish_address {10.142.1.107:9200}, bound_addresses {10.142.1.107:9200}
    [2018-11-27T07:04:36,420][INFO ][o.e.n.Node ] [es_nodename] started
    [2018-11-27T07:04:38,689][INFO ][o.e.x.w.WatcherService ] [es_nodename] reloading watcher, reason [new local watcher shard allocation ids], cancelled [0] queued tasks

(Rijin) #14

Can you please help ?


(Ioannis Kakavas) #15

Thanks very much for your interest in Elasticsearch.

Please be patient in waiting for responses to your question and refrain from
pinging multiple times asking for a response or opening multiple topics for
the same question. This is a community forum, it may take time for someone to
reply to your question. For more information please refer to the Community
Code of Conduct
specifically the section "Be patient".

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.


(Rijin) #16

Thank you @ikakavas . Can you please check my issue ?


(Rijin) #17

CA is provided by company in the format of .pem .

Two .pem format files are provided .


(Rijin) #18

[2018-11-26T15:07:48,338][WARN ][o.e.x.s.t.n.SecurityNetty4ServerTransport] [gbricemtrs01.corp.internal] exception caught on transport layer [NettyTcpChannel{localAddress=0.0.0.0/0.0.0.0:44648, remoteAddress=gbricemtrs02/10.142.1.110:9300}], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
... 15 more


(Rijin) #19

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) ~[?:?]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
... 15 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
... 15 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_181]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:?]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]


(Ioannis Kakavas) #20

Please don't post logs as unformatted text as it's very hard to read.

Instead paste the text and format it with </> icon, and check the preview
window to make sure it's properly formatted before posting it. This makes it
more likely that your question will receive a useful answer.

It would be great if you could edit your previous posts to resolve this.