However, I am getting below error on elasticsearch (v7.6.2) side .
Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:267) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:258) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:381) ~[?:?]
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:366) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192) ~[?:?]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:503) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
... 16 more
I am using apache beam and I have set ca cert in a keystore on my cilent side .
[ywatanabe@fedora-desktop elasticsearch-7.6.2]$ keytool -list -keystore /home/ywatanabe/Devel/github/public-issues/etc/certs/keystore.jks -storepass 8IK994hP4nw=
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
ca, Apr 11, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 85:81:10:42:27:FE:CD:28:FD:D5:09:B2:C9:E7:06:A3:DF:61:A3:F1
Questions I would like to ask are ,
Q1. Is my understanding correct for which cretificates I need to prepare ?
CA certificate
Private key
SSL certificate
Q2. Are self signed certificate allowed in this context ?
Once we have more information from your current config ,we can suggest what might be missing or needs changing. We cant do that with what you have shared so far.
Thank you for the reply. Below is the whole configuration.
In the meantime I will also review the doc again.
[ywatanabe@fedora-desktop elasticsearch-7.6.2]$ cat config/elasticsearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
#path.data: /path/to/data
#
# Path to log files:
#
#path.logs: /path/to/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
#network.host: 192.168.0.1
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["node-1", "node-2"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
#
# Enable security
#
xpack.security.enabled: true
#
# For Transport Layer
#
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/tls/instance.key
xpack.security.transport.ssl.certificate: certs/tls/instance.crt
xpack.security.transport.ssl.certificate_authorities: [ "certs/tls/ca.crt" ]
#
# For HTTP Layer
#
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: none
xpack.security.http.ssl.certificate: "certs/http/http-localhost.crt"
xpack.security.http.ssl.key: "certs/http/http-localhost.key"
xpack.security.http.ssl.certificate_authorities: [ "certs/tls/ca.crt" ]
I have used below commands to create each certifiacte and key.
Change xpack.security.http.ssl.client_authentication: none to optional or required.
Set up your client for mutal TLS:
Your client needs to have its own client key and certificate if you want to do mutual TLS. What you have done so far is to import the CA cert of the server in your client keystore. This means that your client is able to validate and verify the server certificate, but this is only 50% of the "mutual" TLS.
Assuming that when you ran bin/elasticsearch-certutil http -pem, you selected the "Use an existing CA" option and you are using the ca.key and and ca.crt you created with bin/elasticsearch-certutil ca --pem, you can create a client key and certificate with :
Finally you can import that key pair entry in your keystore in a two step process ( keytool doesn't allow you to import a private key and certificate for some reason ) :
a) Create a PKCS#12 keystore with the client private key and certificate openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -name client -out client.p12
b) Convert the PKCS#12 keystore to a JKS one ( if you need to, your client might as well support PKCS#12 keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore keystore.jks
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
) :