Which certificate should I prepare when enabling mutual tls authentication?

Hello .

I am trying to setup mutual authenticatation by setting xpack.security.http.ssl.client_authentication to true .

However, I am getting below error on elasticsearch (v7.6.2) side .

Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:258) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:381) ~[?:?]
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:366) ~[?:?]
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247) ~[?:?]
        at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:503) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
        ... 16 more

I am using apache beam and I have set ca cert in a keystore on my cilent side .

[ywatanabe@fedora-desktop elasticsearch-7.6.2]$ keytool -list -keystore /home/ywatanabe/Devel/github/public-issues/etc/certs/keystore.jks -storepass 8IK994hP4nw=
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

ca, Apr 11, 2020, trustedCertEntry, 
Certificate fingerprint (SHA1): 85:81:10:42:27:FE:CD:28:FD:D5:09:B2:C9:E7:06:A3:DF:61:A3:F1

Questions I would like to ask are ,

Q1. Is my understanding correct for which cretificates I need to prepare ?

  • CA certificate
  • Private key
  • SSL certificate

Q2. Are self signed certificate allowed in this context ?

Thanks,
Yu Watanabe

Please share your entire elasticsearch configuration, at least the part related to http ssl.

Also take a look in our docs : https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html#tls-http

Once we have more information from your current config ,we can suggest what might be missing or needs changing. We cant do that with what you have shared so far.

Thank you for the reply. Below is the whole configuration.
In the meantime I will also review the doc again.

[ywatanabe@fedora-desktop elasticsearch-7.6.2]$ cat config/elasticsearch.yml 
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#

#
# Enable security
#
xpack.security.enabled: true

#
# For Transport Layer
#
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.key: certs/tls/instance.key
xpack.security.transport.ssl.certificate: certs/tls/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "certs/tls/ca.crt" ] 

#
# For HTTP Layer 
#
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: none
xpack.security.http.ssl.certificate: "certs/http/http-localhost.crt"
xpack.security.http.ssl.key: "certs/http/http-localhost.key"
xpack.security.http.ssl.certificate_authorities: [ "certs/tls/ca.crt" ]

I have used below commands to create each certifiacte and key.

ca.crt

bin/elasticsearch-certutil ca --pem

instance.crt
bin/elasticsearch-certutil cert --pem --ca-cert ca/ca.crt -ca-key ca/ca.key

http-localhost.crt and http-localhost.key

bin/elasticsearch-certutil http -pem

**client side keystore (ca.crt is above one) **

keytool -import -alias ca -file ca/ca.crt -keystore /home/ywatanabe/Devel/github/public-issues/etc/certs/keystore.jks -storepass 8IK994hP4nw=

As you will see in our docs, you need to

  1. Change xpack.security.http.ssl.client_authentication: none to optional or required.

  2. Set up your client for mutal TLS:
    Your client needs to have its own client key and certificate if you want to do mutual TLS. What you have done so far is to import the CA cert of the server in your client keystore. This means that your client is able to validate and verify the server certificate, but this is only 50% of the "mutual" TLS.

    Assuming that when you ran bin/elasticsearch-certutil http -pem, you selected the "Use an existing CA" option and you are using the ca.key and and ca.crt you created with bin/elasticsearch-certutil ca --pem, you can create a client key and certificate with :

     bin/elasticsearch-certutil cert --pem --ca-cert ca/ca.crt -ca-key ca/ca.key --name client
    

    Finally you can import that key pair entry in your keystore in a two step process ( keytool doesn't allow you to import a private key and certificate for some reason :confused: ) :

    a) Create a PKCS#12 keystore with the client private key and certificate
    openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -name client -out client.p12

    b) Convert the PKCS#12 keystore to a JKS one ( if you need to, your client might as well support PKCS#12
    keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore keystore.jks

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.