Using Shield SSL with the Java client

Andy_Warren · January 12, 2017, 4:01pm

Hi,
I have an ElasticSearch cluster (1 node) and I've set up shield with an admin user and enabled SSL which is working fine when i access via the browser. However I'm running into trouble when trying to write data to the node using the transport client. I have added the following to my config
.put("shield.ssl.truststore.path", "./client.jks") .put("shield.ssl.truststore.password", "passwd") .put("shield.transport.ssl", "true")

The client keystore contains a certificate we have self-signed, I have also added this to the elasticsearch server keystore. However we run into these errors:
CLIENT
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SERVER
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

Any help would be greatly appreciated.
Many thanks.

jaymode · January 12, 2017, 4:13pm

Did you import the server's certificate into the truststore for the client? Can you provide the output of keytool -list -v -keystore filename.jks for both the server and client?

Andy_Warren · January 12, 2017, 4:31pm

Thanks for the tip. I have added the servers certificate to the client keystore which now produces the errors:
CLIENT:
javax.net.ssl.SSLException: Received fatal alert: bad_certificate
SERVER:
javax.net.ssl.SSLHandshakeException: null cert chain

The output from the list command is:
CLIENT:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: client
Creation date: 12-Jan-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Issuer: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Serial number: 43e37545
Valid from: Thu Jan 12 15:35:47 GMT 2017 until: Fri Jan 12 15:35:47 GMT 2018
Certificate fingerprints:
	 MD5:  75:B4:38:0D:53:21:78:E5:68:D7:99:4E:FB:6D:85:1D
	 SHA1: 3F:BB:B9:BA:28:E6:45:40:50:A8:0A:E4:DB:E6:F3:94:AC:46:2E:14
	 SHA256: C1:B4:D3:B3:99:BA:71:21:DF:71:3E:F2:A5:CB:6D:1B:52:03:52:CA:A6:C8:D9:CD:46:AE:BF:D0:2B:25:F4:78
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 92 CF D6 BF 15 25 D9 4E   A6 A1 33 7A 50 52 37 FC  .....%.N..3zPR7.
0010: B3 AF AC 01                                        ....
]
]



*******************************************
*******************************************


Alias name: node01
Creation date: 12-Jan-2017
Entry type: trustedCertEntry

Owner: CN=elastic-dev.domain.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 3143f500f431d88808d27f85daab6b24703
Valid from: Tue Jan 10 15:35:00 GMT 2017 until: Mon Apr 10 16:35:00 BST 2017
Certificate fingerprints:
	 MD5:  1C:E5:49:77:29:5C:F5:83:6D:C3:2A:FE:C2:46:41:AE
	 SHA1: 26:9A:D1:E4:94:1B:A5:21:80:02:ED:30:46:E2:02:FD:F8:1D:ED:C5
	 SHA256: E0:72:20:A4:46:72:7D:7C:2E:E6:D6:BA:EB:29:63:1F:7A:EA:7A:82:C3:B8:89:5B:1B:5D:33:72:A6:A9:01:6D
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69  0.....This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only 
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F                                                 /

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: elastic-dev.domain.com
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 91 2D 8D AA 53 67 AC 7B   3A 9A 21 FD D8 E3 DD 09  .-..Sg..:.!.....
0010: 17 90 7C 0A                                        ....
]
]



*******************************************
*******************************************

Andy_Warren · January 12, 2017, 4:34pm

SERVER PART1:

Keystore provider: SUN

Your keystore contains 3 entries

Alias name: client
Creation date: 12-Jan-2017
Entry type: trustedCertEntry

Owner: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Issuer: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Serial number: 43e37545
Valid from: Thu Jan 12 15:35:47 UTC 2017 until: Fri Jan 12 15:35:47 UTC 2018
Certificate fingerprints:
	 MD5:  75:B4:38:0D:53:21:78:E5:68:D7:99:4E:FB:6D:85:1D
	 SHA1: 3F:BB:B9:BA:28:E6:45:40:50:A8:0A:E4:DB:E6:F3:94:AC:46:2E:14
	 SHA256: C1:B4:D3:B3:99:BA:71:21:DF:71:3E:F2:A5:CB:6D:1B:52:03:52:CA:A6:C8:D9:CD:46:AE:BF:D0:2B:25:F4:78
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 92 CF D6 BF 15 25 D9 4E   A6 A1 33 7A 50 52 37 FC  .....%.N..3zPR7.
0010: B3 AF AC 01                                        ....
]
]



*******************************************
*******************************************


Alias name: letsencrypt
Creation date: 10-Jan-2017
Entry type: trustedCertEntry

Owner: CN=elastic-dev.domain.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 3710b7d21176f6249a4bbc2c9ad4b5ef36a
Valid from: Tue Jan 10 15:23:00 UTC 2017 until: Mon Apr 10 15:23:00 UTC 2017
Certificate fingerprints:
	 MD5:  0C:CD:A5:8C:8E:A8:74:86:00:E8:0A:32:8F:FE:40:5E
	 SHA1: 2D:74:A5:69:9B:FD:63:8B:EB:19:50:F8:26:FF:68:21:40:AC:73:3E
	 SHA256: E7:70:D0:1C:C5:50:E9:D9:98:86:69:41:32:33:8B:08:FD:EB:6C:42:DB:CD:52:83:4D:8D:9C:95:E8:B6:AE:73
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69  0.....This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only 
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F                                                 /

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: elastic-dev.domain.com
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E6 BD 5F 4D 06 FC DE 34   C9 EF 52 6B AD 49 D2 31  .._M...4..Rk.I.1
0010: C1 16 59 E7                                        ..Y.
]
]



*******************************************
*******************************************

Andy_Warren · January 12, 2017, 4:35pm

SERVER PART2:


Alias name: node01
Creation date: 10-Jan-2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=elastic-dev.domain.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 3143f500f431d88808d27f85daab6b24703
Valid from: Tue Jan 10 15:35:00 UTC 2017 until: Mon Apr 10 15:35:00 UTC 2017
Certificate fingerprints:
	 MD5:  1C:E5:49:77:29:5C:F5:83:6D:C3:2A:FE:C2:46:41:AE
	 SHA1: 26:9A:D1:E4:94:1B:A5:21:80:02:ED:30:46:E2:02:FD:F8:1D:ED:C5
	 SHA256: E0:72:20:A4:46:72:7D:7C:2E:E6:D6:BA:EB:29:63:1F:7A:EA:7A:82:C3:B8:89:5B:1B:5D:33:72:A6:A9:01:6D
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1A 68 74 74 70 3A 2F   2F 63 70 73 2E 6C 65 74  ..http://cps.let
0010: 73 65 6E 63 72 79 70 74   2E 6F 72 67              sencrypt.org

], PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.2
  qualifier: 0000: 30 81 9E 0C 81 9B 54 68   69 73 20 43 65 72 74 69  0.....This Certi
0010: 66 69 63 61 74 65 20 6D   61 79 20 6F 6E 6C 79 20  ficate may only 
0020: 62 65 20 72 65 6C 69 65   64 20 75 70 6F 6E 20 62  be relied upon b
0030: 79 20 52 65 6C 79 69 6E   67 20 50 61 72 74 69 65  y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E   6C 79 20 69 6E 20 61 63  s and only in ac
0050: 63 6F 72 64 61 6E 63 65   20 77 69 74 68 20 74 68  cordance with th
0060: 65 20 43 65 72 74 69 66   69 63 61 74 65 20 50 6F  e Certificate Po
0070: 6C 69 63 79 20 66 6F 75   6E 64 20 61 74 20 68 74  licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65   74 73 65 6E 63 72 79 70  tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65   70 6F 73 69 74 6F 72 79  t.org/repository
00A0: 2F                                                 /

]]  ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: elastic-dev.domain.com
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 91 2D 8D AA 53 67 AC 7B   3A 9A 21 FD D8 E3 DD 09  .-..Sg..:.!.....
0010: 17 90 7C 0A                                        ....
]
]

Certificate[2]:
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial number: a0141420000015385736a0b85eca708
Valid from: Thu Mar 17 16:40:46 UTC 2016 until: Wed Mar 17 16:40:46 UTC 2021
Certificate fingerprints:
	 MD5:  B1:54:09:27:4F:54:AD:8F:02:3D:3B:85:A5:EC:EC:5D
	 SHA1: E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
	 SHA256: 25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D
	 Signature algorithm name: SHA256withRSA
	 Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA   DB E1 4B 90 75 FF C4 15  .....,q...K.u...
0010: 60 85 89 10                                        `...
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
  [CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 22 68 74 74 70 3A 2F   2F 63 70 73 2E 72 6F 6F  ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74   73 65 6E 63 72 79 70 74  t-x1.letsencrypt
0020: 2E 6F 72 67                                        .org

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA   E6 D1 39 B7 A6 45 65 EF  .Jjc......9..Ee.
0010: F3 A8 EC A1                                        ....
]
]



*******************************************
*******************************************

jaymode · January 12, 2017, 4:58pm

On the client what happens if you change truststore to keystore

.put("shield.ssl.keystore.path", "./client.jks")
.put("shield.ssl.truststore.password", "passwd")

Andy_Warren · January 12, 2017, 5:09pm

That worked, thanks alot.

system · February 9, 2017, 5:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.