Unable to find valid certification path to requested target

Hello, I'm trying to authenticate users via AD with no success. Running ES 7.9.2. with TLS encryption in the cluster.

Below you can see the excerpt of the yml file where I'm setting up xpack security, and the error I am receiving when trying to login with an AD account in Kibana.
I should note, the key and certs in the xpack.security.transport.ssl are self signed by elastic. The rootca.pem file comes from my internal ca. Thanks for the help in advance.

 # x pack settings
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/elastic-ca/host1.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/elastic-ca/host1.crt
xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/elastic-ca/ca.crt"]
xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: my.domain
            url: ldaps://ad_server.domain.com:3269, ldaps://ad_server.domain.com:3269
            ssl:
              certificate_authorities: ["/etc/elasticsearch/elastic-ca/rootca.pem" ]

Error message:

[2020-11-09T15:50:29,875][WARN ][o.e.c.s.DiagnosticTrustManager] [host1.domain.com] failed to establish trust with server at [ad_server.domain.com]; the server provided a certificate with subject name [] and f
ingerprint [17d8390fdb9b1e22fb4a4427c4f0e865a0f232f2]; the certificate has subject alternative names [DNS:ad_server.domain.com]; the certificate is issued by [CN=Domain Enterprise Root,DC=empty,DC=local] but the server
did not provide a copy of the issuing certificate in the certificate chain; this ssl context ([xpack.security.authc.realms.active_directory.my_ad.ssl]) is not configured to trust that issuer
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

In the diagnostic message we have:

the certificate is issued by [CN=Domain Enterprise Root,DC=empty,DC=local]

That is, your AD server has a certificate issued (signed) by CN=Domain Enterprise Root,DC=empty,DC=local

Is that the /etc/elasticsearch/elastic-ca/rootca.pem certificate? It doesn't appear to be (because it's not working).

If you run

openssl x509 -in /etc/elasticsearch/elastic-ca/rootca.pem -noout -subject -issuer -fingerprint

You can see the details of your Root CA.

Here is the output of the openssl command. in all cases, I'm replacing my actual domain name with the word domain. I see that in the error message CN=Domain Enterprise, but the output of opensll it states; CN=Domain Issuing CA
issuer= /CN=Domain Root CA

Not sure if there is a difference. Am I not using the right certificate?

root@red-inf-elkc-p1 ~]# openssl x509 -in /etc/elasticsearch/elastic-ca/rootca.pem -noout -subject -issuer -fingerprint

subject= /DC=com/DC=domain/CN=Domain Issuing CA
issuer= /CN=Domain Root CA
SHA1 Fingerprint=18:9D:7B:28:C0:73:3C:96:28:F2:FA:0A:87:4F:69:8C:2F:2A:A6:11

If the DNs of the certificates don't match, then it is almost certainly the wrong certificate.

Your best is to talk to the team that manages AD and/or your Certificate Issuing and find out what you're supposed to use.

It looks like you've been given the right CA in general, but it's not correct for that AD server.

Update: This issue was being caused by one of my nodes in the cluster not having the correct certificate in the authorities path. One stinking node was causing the issue.

certificate_authorities: ["/etc/elasticsearch/elastic-ca/certificate.pem" ]

Tim V, thanks for your help .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.