New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elasticsearch X-Pack valid ssl certificate not trusted by client because ca chain not provided by server. #31725
Comments
Pinging @elastic/es-security |
Is it really an ES problem? Because I understand that you only configure a |
@csahli I am going to speculatively close this by pointing to the manual: Please do reopen if it appears that I'm mistaking. |
Thank you for your support but I am not able to reopen a closed issue. I am afraid I didn't explain correctly the issue. According to the manual which I followed to configure x-pack, you can provide the ssl certificate using 2 distinct formats: pkcs12 or pem. Extract from the manual:
xpack.security.http.ssl.key: The full path to the node key file. The ssl client certificate is a file containing a public key generated by a client using its private key and signed by a CA. The client certificate is not suppose to contain the CA Chain. Providing the CA chain instead of the client certificate is unexpected behavior. Elasticsearch should instead discover the Intermediate CA using the CA cert or the CA chain and send the chain during the ssl handshake. |
I review your answer and I think you may be misunderstood my issue. To workaround the issue we used the CA Full chain as value of the xpack.security.http.ssl.certificate parameter. According to the configuration manual you shared, this parameter is supposed to be used to set the SSL cert not the Full CA Chain. If this is an expected behavior, you should update the manual to reflect that. xpack.security.http.ssl.certificate: The full path to the node certificate. |
@csahli, I think I understand the issue, but I jumped the gun without a proper detailed answer, apologies. Your last comment spells the problem. Indeed the For completeness:
Elasticsearch does not, and it would be shoddy, to "generate" chains. It simply forwards the contents of the The browser, you say, validates the certificate, however curl trips. Following is an excerpt of the curl failure:
Elasticsearch sends the same certificate (chain) to both the browser and curl. A TLS party does not "construct" chains for the other to trust. It sends what it got, and hopes the other will trust it. The browser trusts it, but curl does not. From the excerpt, I would try to add the Let's encrypt CA with the --cacert option. There are other ways as well (curl follows some env vars to the system level truststore). I will open a docs PR about the Does this sound fair to you, @csahli ? |
@albertzaharovits Thank you for you reactivity. I am totally ok with your proposal of updating the documentation to reflect nginx approach. There is another approach which is clearly more expensive ... It would consist in adding a new parameter However openssl terminology is clear: ssl cert, ssl bundle and ssl chain are 3 distinct things with distincts roles. And for server side encryption, this is the server role to provide the chain of trust. No matter if the server has to discover or generate it. If the chain is not provided by the server and the client refuses the ssl handshake, this is a server issue not a client issue. Nginx added the comment you mentioned on their documentation because they understand they don't respect openssl terminology. Thank you for your kind support and for your time |
but we're not using openssl, and openssl doesn't define the TLS standards (thankfully). Your point about the documentation being unclear is fair. Getting TLS docs correct is a difficult balancing act - most users just want step by step instructions and don't really want to have to get into details that don't concern them. We intentionally leave out some finer details from those docs because if we put everything in then the docs would be so long that it would scare people off. I agree that they're not quite right here, and we'll work out what we can do to overcome that, but I hope you understand that what you were reading is a guide to setting up TLS, not a full reference, so it's never going to be able to answer every scenario. The settings reference actually says:
So in summary:
|
[doc issue triage] |
@csahli THANK YOU!!! I've been confused in the last few hours and you saved me!
Update: Although
Workaround: in services:
kib01:
environment:
ELASTICSEARCH_SSL_VERIFICATIONMODE: none |
@csahli , @ceefour , let me add a few quick comments here: I think there's no need to add the With that server chain, Setting the server But as Tim mentioned, there isn't any standard defined for this. On the other side, on the So, for the kibana configuration shared by @ceefour , the following should work too.
In summary:
All this is not really related with Elasticsearch, is more generic SSL stuff, so I don't know if we should include this in the docs. Probably not, or maybe a very short comment about it (add any intermediate CA together with the server certificate in the If you continue having issues I guess we should move this to https://discuss.elastic.co/c/elasticsearch |
Thanks for such a crystal clear comment @eedugon ! |
1 similar comment
Thanks for such a crystal clear comment @eedugon ! |
@csahli Thank you from 2021. You just saved me a whole lot of effort. I've been poring over the documentation and couldn't understand why this wasn't working right. This made it crystal clear. |
I do not think it is a mutualTLS handshake, why does es validate the client with its own ca certificate? |
Thanks a ton @eedugon from 2023. In our case we have our own Private CAs, and we haven't installed any CA (interemdiate or Root) cert to the host truststore, and providing both the |
Describe the feature:
Elasticsearch x-pack security settings
Elasticsearch version (
bin/elasticsearch --version
):./elasticsearch --version
Version: 6.2.0, Build: 37cdac1/2018-02-01T17:31:12.527918Z, JVM: 1.8.0_171
Plugins installed: []
./elasticsearch-plugin list
JVM version (
java -version
):java -version
OS version (
uname -a
if on a Unix-like system):uname -a
Linux node1.elasticsearch.paris.sasstacloud.sascloud.io 3.10.0-862.6.3.el7.x86_64 #1 SMP Fri Jun 15 17:57:37 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
Description of the problem including expected versus actual behavior:
Valid SSL certificates provided by elasticseach nodes not trusted.
Steps to reproduce:
Here is the elasticsearch x-pack configuration we set:
Then preform an https request on elasticsearch
But with any other web browser performing the same https request, the ssl certificate is trusted and valid:
Here is the output of a request done using the openssl s_client:
To workaround the problem we applied the following configuration:
replaced:
xpack.security.http.ssl.certificate: /etc/elasticsearch/tls/node.cer
by:
xpack.security.http.ssl.certificate: /etc/elasticsearch/tls/chain.cer
The text was updated successfully, but these errors were encountered: