Hi,
I have an ElasticSearch cluster (1 node) and I've set up shield with an admin user and enabled SSL which is working fine when i access via the browser. However I'm running into trouble when trying to write data to the node using the transport client. I have added the following to my config
.put("shield.ssl.truststore.path", "./client.jks") .put("shield.ssl.truststore.password", "passwd") .put("shield.transport.ssl", "true")
The client keystore contains a certificate we have self-signed, I have also added this to the elasticsearch server keystore. However we run into these errors:
CLIENT
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SERVER
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
Any help would be greatly appreciated.
Many thanks.
jaymode
(Jay Modi)
January 12, 2017, 4:13pm
2
Did you import the server's certificate into the truststore for the client? Can you provide the output of keytool -list -v -keystore filename.jks
for both the server and client?
Thanks for the tip. I have added the servers certificate to the client keystore which now produces the errors:
CLIENT:
javax.net.ssl.SSLException: Received fatal alert: bad_certificate
SERVER:
javax.net.ssl.SSLHandshakeException: null cert chain
The output from the list command is:
CLIENT:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: client
Creation date: 12-Jan-2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Issuer: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Serial number: 43e37545
Valid from: Thu Jan 12 15:35:47 GMT 2017 until: Fri Jan 12 15:35:47 GMT 2018
Certificate fingerprints:
MD5: 75:B4:38:0D:53:21:78:E5:68:D7:99:4E:FB:6D:85:1D
SHA1: 3F:BB:B9:BA:28:E6:45:40:50:A8:0A:E4:DB:E6:F3:94:AC:46:2E:14
SHA256: C1:B4:D3:B3:99:BA:71:21:DF:71:3E:F2:A5:CB:6D:1B:52:03:52:CA:A6:C8:D9:CD:46:AE:BF:D0:2B:25:F4:78
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 92 CF D6 BF 15 25 D9 4E A6 A1 33 7A 50 52 37 FC .....%.N..3zPR7.
0010: B3 AF AC 01 ....
]
]
*******************************************
*******************************************
Alias name: node01
Creation date: 12-Jan-2017
Entry type: trustedCertEntry
Owner: CN=elastic-dev.domain.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 3143f500f431d88808d27f85daab6b24703
Valid from: Tue Jan 10 15:35:00 GMT 2017 until: Mon Apr 10 16:35:00 BST 2017
Certificate fingerprints:
MD5: 1C:E5:49:77:29:5C:F5:83:6D:C3:2A:FE:C2:46:41:AE
SHA1: 26:9A:D1:E4:94:1B:A5:21:80:02:ED:30:46:E2:02:FD:F8:1D:ED:C5
SHA256: E0:72:20:A4:46:72:7D:7C:2E:E6:D6:BA:EB:29:63:1F:7A:EA:7A:82:C3:B8:89:5B:1B:5D:33:72:A6:A9:01:6D
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
,
accessMethod: caIssuers
accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.
0010: F3 A8 EC A1 ....
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0.....This Certi
0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only
0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b
0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac
0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th
0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po
0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository
00A0: 2F /
]] ]
]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: elastic-dev.domain.com
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 91 2D 8D AA 53 67 AC 7B 3A 9A 21 FD D8 E3 DD 09 .-..Sg..:.!.....
0010: 17 90 7C 0A ....
]
]
*******************************************
*******************************************
SERVER PART1:
Keystore provider: SUN
Your keystore contains 3 entries
Alias name: client
Creation date: 12-Jan-2017
Entry type: trustedCertEntry
Owner: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Issuer: CN=elastic-client.domain.com, OU=elastic-client.domain.com, O=elastic-client.domain.com, L=London, ST=London, C=Gb
Serial number: 43e37545
Valid from: Thu Jan 12 15:35:47 UTC 2017 until: Fri Jan 12 15:35:47 UTC 2018
Certificate fingerprints:
MD5: 75:B4:38:0D:53:21:78:E5:68:D7:99:4E:FB:6D:85:1D
SHA1: 3F:BB:B9:BA:28:E6:45:40:50:A8:0A:E4:DB:E6:F3:94:AC:46:2E:14
SHA256: C1:B4:D3:B3:99:BA:71:21:DF:71:3E:F2:A5:CB:6D:1B:52:03:52:CA:A6:C8:D9:CD:46:AE:BF:D0:2B:25:F4:78
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 92 CF D6 BF 15 25 D9 4E A6 A1 33 7A 50 52 37 FC .....%.N..3zPR7.
0010: B3 AF AC 01 ....
]
]
*******************************************
*******************************************
Alias name: letsencrypt
Creation date: 10-Jan-2017
Entry type: trustedCertEntry
Owner: CN=elastic-dev.domain.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 3710b7d21176f6249a4bbc2c9ad4b5ef36a
Valid from: Tue Jan 10 15:23:00 UTC 2017 until: Mon Apr 10 15:23:00 UTC 2017
Certificate fingerprints:
MD5: 0C:CD:A5:8C:8E:A8:74:86:00:E8:0A:32:8F:FE:40:5E
SHA1: 2D:74:A5:69:9B:FD:63:8B:EB:19:50:F8:26:FF:68:21:40:AC:73:3E
SHA256: E7:70:D0:1C:C5:50:E9:D9:98:86:69:41:32:33:8B:08:FD:EB:6C:42:DB:CD:52:83:4D:8D:9C:95:E8:B6:AE:73
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
,
accessMethod: caIssuers
accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.
0010: F3 A8 EC A1 ....
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0.....This Certi
0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only
0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b
0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac
0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th
0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po
0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository
00A0: 2F /
]] ]
]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: elastic-dev.domain.com
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E6 BD 5F 4D 06 FC DE 34 C9 EF 52 6B AD 49 D2 31 .._M...4..Rk.I.1
0010: C1 16 59 E7 ..Y.
]
]
*******************************************
*******************************************
SERVER PART2:
Alias name: node01
Creation date: 10-Jan-2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=elastic-dev.domain.com
Issuer: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Serial number: 3143f500f431d88808d27f85daab6b24703
Valid from: Tue Jan 10 15:35:00 UTC 2017 until: Mon Apr 10 15:35:00 UTC 2017
Certificate fingerprints:
MD5: 1C:E5:49:77:29:5C:F5:83:6D:C3:2A:FE:C2:46:41:AE
SHA1: 26:9A:D1:E4:94:1B:A5:21:80:02:ED:30:46:E2:02:FD:F8:1D:ED:C5
SHA256: E0:72:20:A4:46:72:7D:7C:2E:E6:D6:BA:EB:29:63:1F:7A:EA:7A:82:C3:B8:89:5B:1B:5D:33:72:A6:A9:01:6D
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.int-x3.letsencrypt.org/
,
accessMethod: caIssuers
accessLocation: URIName: http://cert.int-x3.letsencrypt.org/
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.
0010: F3 A8 EC A1 ....
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]
#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 ..http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0.....This Certi
0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only
0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b
0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac
0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th
0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po
0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository
00A0: 2F /
]] ]
]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: elastic-dev.domain.com
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 91 2D 8D AA 53 67 AC 7B 3A 9A 21 FD D8 E3 DD 09 .-..Sg..:.!.....
0010: 17 90 7C 0A ....
]
]
Certificate[2]:
Owner: CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
Issuer: CN=DST Root CA X3, O=Digital Signature Trust Co.
Serial number: a0141420000015385736a0b85eca708
Valid from: Thu Mar 17 16:40:46 UTC 2016 until: Wed Mar 17 16:40:46 UTC 2021
Certificate fingerprints:
MD5: B1:54:09:27:4F:54:AD:8F:02:3D:3B:85:A5:EC:EC:5D
SHA1: E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB
SHA256: 25:84:7D:66:8E:B4:F0:4F:DD:40:B1:2B:6B:07:40:C5:67:DA:7D:02:43:08:EB:6C:2C:96:FE:41:D9:DE:21:8D
Signature algorithm name: SHA256withRSA
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://isrg.trustid.ocsp.identrust.com
,
accessMethod: caIssuers
accessLocation: URIName: http://apps.identrust.com/roots/dstrootcax3.p7c
]
]
#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 A7 B1 A4 7B 2C 71 FA DB E1 4B 90 75 FF C4 15 .....,q...K.u...
0010: 60 85 89 10 `...
]
]
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.identrust.com/DSTROOTCAX3CRL.crl]
]]
#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 63 70 73 2E 72 6F 6F ."http://cps.roo
0010: 74 2D 78 31 2E 6C 65 74 73 65 6E 63 72 79 70 74 t-x1.letsencrypt
0020: 2E 6F 72 67 .org
]] ]
]
#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A8 4A 6A 63 04 7D DD BA E6 D1 39 B7 A6 45 65 EF .Jjc......9..Ee.
0010: F3 A8 EC A1 ....
]
]
*******************************************
*******************************************
jaymode
(Jay Modi)
January 12, 2017, 4:58pm
6
On the client what happens if you change truststore
to keystore
.put("shield.ssl.keystore.path", "./client.jks")
.put("shield.ssl.truststore.password", "passwd")
That worked, thanks alot.
system
(system)
Closed
February 9, 2017, 5:09pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.