TSL/SSL failing elastic not working

security

#1

I have problem understanding some entries in the elasticsearch.yml file

in perticalar the xpack.security.transport.ssl.certificate_authorities entry

elasticsearch.yml

cluster.name: "docker-cluster"
network.host: 0.0.0.0

# minimum_master_nodes need to be explicitly set when bound on a public IP
# set to 1 to allow single node clusters
# Details: https://github.com/elastic/elasticsearch/pull/17288
discovery.zen.minimum_master_nodes: 1
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/elasticsearch.key.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/elasticsearch.cert.pem
xpack.security.transport.ssl.certificate_authorities:
  - /usr/share/elasticsearch/config/certs/ca-chain.cert.pem

I have created and validated the keys and certificates with openssl (openssl validate)
There is one thing that is not clear of the docs, and i made an educated guess

the value of xpack.security.transport.ssl.certificate_authorities

i cancatenated the the root ca and intermediate ca to one file (chain of trust) like os

cat intermediate/certs/intermediate.cert.pem \
      certs/ca.cert.pem > intermediate/certs/ca-chain.cert.pem
chmod 444 intermediate/certs/ca-chain.cert.pem

I did use this chain to validate the signed server certificated i created (and signed)

openssl verify -CAfile intermediate/certs/ca-chain.cert.pem intermediate/certs/elasticsearch.cert.pem

intermediate/certs/elasticsearch.cert.pem: OK

I used the ca-chain.cert.pem as a value for xpack.security.transport.ssl.certificate_authorities

is this correct???


#2

i wanted to add this

http://localhost:9200/_xpack/ssl/certificates

it does seem to "see" the certificates and its content" (some fields obfuscated)

[
{
"path": "/usr/share/elasticsearch/config/certs/ca-chain.cert.pem",
"format": "PEM",
"alias": null,
"subject_dn": "EMAILADDRESS=xxxxx, CN=elasticsearch, OU=streaming, O=companyx, L=Luxembourg-ville, ST=Luxembourg, C=LU",
"serial_number": "e7c7414bc8883115",
"has_private_key": false,
"expiry": "2038-11-07T12:03:17.000Z"
},
{
"path": "/usr/share/elasticsearch/config/certs/elasticsearch.cert.pem",
"format": "PEM",
"alias": null,
"subject_dn": "EMAILADDRESS=xxxxx, CN=elasticsearch.com, OU=streaming, O=companyx, L=Luxembourg-ville, ST=Luxembourg, C=LU",
"serial_number": "6517",
"has_private_key": true,
"expiry": "2019-11-22T12:54:06.000Z"
},
{
"path": "/usr/share/elasticsearch/config/certs/ca-chain.cert.pem",
"format": "PEM",
"alias": null,
"subject_dn": "EMAILADDRESS=xxxxx, CN=elastic intermediate, OU=streaming, O=companyx, ST=Luxembourg, C=LU",
"serial_number": "2740",
"has_private_key": false,
"expiry": "2028-11-09T12:35:02.000Z"
}
]


#3

I made some progess...

excuse, i cant still make it work

$ curl -XGET https://elasticsearch.com:9200/_xpack/ssl/certificates
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So the only issue is to have kibana talk to elastic with https


(Christian Dahlqvist) #6

What license do you have installed?


#7

trial license (we are evaluating elastic), its still active


#8

i tested the certificates in nodejs and curl, also validated them with openssl

const https = require('https');
const fs = require('fs');

const options = {
  key: fs.readFileSync('./localhost.key.pem'),  // created key with CN (localhost, but signed by the same intermediate ca)
  cert: fs.readFileSync('./localhost.cert.pem') // created key with CN (localhost, but signed by the same Intermediate CA)
};

https.createServer(options, (req, res) => {
  console.log('replying....')
  res.writeHead(200);
  res.end('hello world\n');
}).listen(8000);

I used curl with the -cacert option (worked)

$ curl https://localhost:8000 --cacert ca-chain.cert.pem
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    12    0    12    0     0     12      0 --:--:-- --:--:-- --:--:--    48hello world

PS: Am i using the confing option xpack.security.transport.ssl.certificate_authorities correctly? I am not sure

our elasticsearch.yml looks like this

cluster.name: "docker-cluster"
network.host: 0.0.0.0

# minimum_master_nodes need to be explicitly set when bound on a public IP
# set to 1 to allow single node clusters
# Details: https://github.com/elastic/elasticsearch/pull/17288
discovery.zen.minimum_master_nodes: 1
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/elasticsearch.key.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/intermediate.ca.cert.pem
xpack.security.transport.ssl.certificate_authorities:
  - /usr/share/elasticsearch/config/certs/intermediate.ca.cert.pem
  - /usr/share/elasticsearch/config/certs/root.ca.cert.pem

#11

certificates via rest api (company an name info replace with "xxxx")

[
  {
    "path": "/usr/share/elasticsearch/config/certs/elasticsearch.com.cert.pem",
    "format": "PEM",
    "alias": null,
    "subject_dn": "EMAILADDRESS=xxxx, CN=elasticsearch.com, OU=streaming, O=xxxx, L=Luxembourg-ville, ST=Luxembourg, C=LU",
    "serial_number": "651b",
    "has_private_key": true,
    "expiry": "2019-11-23T12:48:30.000Z"
  },
  {
    "path": "/usr/share/elasticsearch/config/certs/intermediate.cert.pem",
    "format": "PEM",
    "alias": null,
    "subject_dn": "EMAILADDRESS=xxxxxxx, CN=elastic intermediate, OU=streaming, O=xxxxx, ST=Luxembourg, C=LU",
    "serial_number": "2741",
    "has_private_key": false,
    "expiry": "2028-11-10T10:36:01.000Z"
  },
  {
    "path": "/usr/share/elasticsearch/config/certs/ca.cert.pem",
    "format": "PEM",
    "alias": null,
    "subject_dn": "EMAILADDRESS=xxxx, CN=root ca to sign elastic nodes, OU=streaming, O=xxxx, L=Luxembourg-ville, ST=Luxembourg, C=LU",
    "serial_number": "be0d48402d376d76",
    "has_private_key": false,
    "expiry": "2038-11-08T09:22:30.000Z"
  }
]

elasticsearch startup logs , looks ok,

elasticsearch.com | [2018-11-13T16:23:32,153][INFO ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [e9qmioL] publish_address {172.18.0.2:9200}, bound_addresses {0.0.0.0:9200}
elasticsearch.com | [2018-11-13T16:23:32,154][INFO ][o.e.n.Node               ] [e9qmioL] started
elasticsearch.com | [2018-11-13T16:23:32,695][INFO ][o.e.l.LicenseService     ] [e9qmioL] license [d9edf7ec-75a5-4151-86d1-9ed115259ece] mode [basic] - valid

elasticsearch.yml configuration

cluster.name: "docker-cluster"
network.host: 0.0.0.0

# minimum_master_nodes need to be explicitly set when bound on a public IP
# set to 1 to allow single node clusters
# Details: https://github.com/elastic/elasticsearch/pull/17288
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: false
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certs/elasticsearch.com.key.pem
xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certs/elasticsearch.com.cert.pem
xpack.security.transport.ssl.certificate_authorities:
  - /usr/share/elasticsearch/config/certs/intermediate.cert.pem
  - /usr/share/elasticsearch/config/certs/ca.cert.pem

#12

with all the good looking logs above, i still get this

$ curl -XGET https://elasticsearch.com:9200
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

#13

what does the error mean in this case?


(system) #14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.