Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Search-guard failed to parse my admin DN #454

Closed
fbacchella opened this issue Mar 1, 2018 · 10 comments

Comments

Projects
None yet
3 participants
@fbacchella
Copy link

commented Mar 1, 2018

I have a certificate with the following DN:

openssl x509 -in /tmp/fa4.cer -text
...
   Subject: emailAddress=fabrice.bacchella@3ds.com/UID=FA4, CN=Fabrice Bacchella, OU=Exalead, O=Dassault Systemes

It make searchguard fails, but in a silent way:

/usr/share/elasticsearch/plugins/search-guard-*/tools/sgadmin.sh -cacert /data/elasticsearch/conf/alldsca.crt -cd /data/elasticsearch/conf -cert /tmp/fa4.cer -key /tmp/fa4.pkcs8 -nhnv -h fa46.prod.exalead.com -icl -dg
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to fa46.prod.exalead.com:9300 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{w4xqjgfaROSYyFtiy5O2fA}{fa46.prod.exalead.com}{10.83.5.21:9300}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{w4xqjgfaROSYyFtiy5O2fA}{fa46.prod.exalead.com}{10.83.5.21:9300}]]
	at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)
	at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)
	at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
	at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:371)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:394)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:444)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

-dg is given, but there is nowhere a diag file can be found.

I added:

rootLogger.level = debug
logger.searchguard.name = com.floragunn
logger.searchguard.level = trace

in log4j2.properties, but all what I get in log is:

[2018-03-01T19:17:21,386][TRACE][c.f.s.s.t.SearchGuardSSLNettyTransport] [fa46-1] Tcp transport channel accepted: NettyTcpChannel{localAddress=/10.83.5.21:9300, remoteAddress=/10.83.5.21:40614}
[2018-03-01T19:17:21,594][DEBUG][i.n.h.s.SslHandler       ] [id: 0x3a49955d, L:/10.83.5.21:9300 - R:/10.83.5.21:40614] HANDSHAKEN: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Each time I try a connection.

But if I try:

JAVA_OPTS='-Djavax.net.debug=all' /usr/share/elasticsearch/plugins/search-guard-6/tools/sgadmin.sh -cacert /data/elasticsearch/conf/alldsca.crt -cd /data/elasticsearch/conf -cert /tmp/fa4.cer -key /tmp/fa4.pkcs8 -nhnv -h fa46.prod.exalead.com -icl -dg

I'm getting:

Padded plaintext after DECRYPTION:  len = 4240
0000: 20 5B DA B2 0E 25 3B 83   0A AE EA 93 2E 58 DE 5F   [...%;......X._
0010: 45 53 00 00 10 47 00 00   00 00 00 00 00 02 03 00  ES...G..........
0020: 5B DC CB 00 00 01 00 67   01 39 5B 66 61 34 36 2D  [......g.9[fa46-
0030: 31 5D 5B 31 30 2E 38 33   2E 35 2E 32 31 3A 39 33  1][10.83.5.21:93
0040: 30 30 5D 5B 63 6C 75 73   74 65 72 3A 6D 6F 6E 69  00][cluster:moni
0050: 74 6F 72 2F 6E 6F 64 65   73 2F 6C 69 76 65 6E 65  tor/nodes/livene
0060: 73 73 5D 01 0A 01 1E 53   74 72 69 6E 67 20 69 6E  ss]....String in
0070: 64 65 78 20 6F 75 74 20   6F 66 20 72 61 6E 67 65  dex out of range
0080: 3A 20 2D 38 32 2D 10 6A   61 76 61 2E 6C 61 6E 67  : -82-.java.lang
0090: 2E 53 74 72 69 6E 67 01   0B 53 74 72 69 6E 67 2E  .String..String.
00A0: 6A 61 76 61 09 73 75 62   73 74 72 69 6E 67 AF 0F  java.substring..
00B0: 41 63 6F 6D 2E 66 6C 6F   72 61 67 75 6E 6E 2E 73  Acom.floragunn.s
00C0: 65 61 72 63 68 67 75 61   72 64 2E 73 73 6C 2E 74  earchguard.ssl.t
00D0: 72 61 6E 73 70 6F 72 74   2E 44 65 66 61 75 6C 74  ransport.Default
00E0: 50 72 69 6E 63 69 70 61   6C 45 78 74 72 61 63 74  PrincipalExtract
00F0: 6F 72 01 1E 44 65 66 61   75 6C 74 50 72 69 6E 63  or..DefaultPrinc

It look like com.floragunn.searchguard.ssl.transport.DefaultPrincipalExtract fails with String index out of range: -82.

But no one is logging this message.

I'm running on Centos 7.4, jvm is openjdk version "1.8.0_161", Elasticsearch is 6.2.2, and Search-guard is com.floragunn:search-guard-6:6.2.2-21.0.

@floragunncom

This comment has been minimized.

Copy link
Owner

commented Mar 2, 2018

That sounds like a bug but i cannot reproduce it.

Can you replace your search-guard-ssl-6.2.2-25.1.jar with the below one, restart the node(s) and try again? This should output a few log statements (on ERROR level) and a stracktrace that will help us fixing this.

https://oss.sonatype.org/content/repositories/snapshots/com/floragunn/search-guard-ssl/6.2.2-26.1-SNAPSHOT/search-guard-ssl-6.2.2-26.1-20180302.191301-1.jar

@fbacchella

This comment has been minimized.

Copy link
Author

commented Mar 9, 2018

I don't have access actually to my test environment, but I try to analyse the principal that I think is a part of the problem. With the following java snippet code

    public static void main(String[] args) throws CertificateException, UnsupportedEncodingException {
        CertificateFactory fact = CertificateFactory.getInstance("X.509");
        InputStream is = new ByteArrayInputStream(cert.getBytes("UTF-8"));
        X509Certificate cer = (X509Certificate) fact.generateCertificate(is);
        PublicKey key = cer.getPublicKey();
        X500Principal p = cer.getSubjectX500Principal();
        System.out.println(p.getName(X500Principal.CANONICAL));
        System.out.println(p.getName(X500Principal.RFC1779));
        System.out.println(p.getName(X500Principal.RFC2253));
        System.out.println(p.getName());
        System.out.println(p);
    }

, I got:

o=dassault systemes,ou=exalead,cn=fabrice bacchella,uid=fa4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
O=Dassault Systemes, OU=Exalead, CN=Fabrice Bacchella, OID.0.9.2342.19200300.100.1.1=FA4, OID.1.2.840.113549.1.9.1=fabrice.bacchella@3ds.com
O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
O=Dassault Systemes, OU=Exalead, CN=Fabrice Bacchella, UID=FA4, EMAILADDRESS=fabrice.bacchella@3ds.com

Do you think that it helps you reproduce the bug ?

@fbacchella

This comment has been minimized.

Copy link
Author

commented Mar 14, 2018

I put it in /usr/share/elasticsearch/plugins/search-guard-6:

find /usr/share/elasticsearch/plugins -name 'search-guard-ssl*'
/usr/share/elasticsearch/plugins/search-guard-6/search-guard-ssl-6.2.2-25.1.jar.no
/usr/share/elasticsearch/plugins/search-guard-6/search-guard-ssl-6.2.2-26.1-20180302.191301-1.jar

And the result is exactly the same:

sudo /usr/share/elasticsearch/plugins/search-guard-*/tools/sgadmin.sh -cacert /data/elasticsearch/conf/alldsca.crt -cd /data/elasticsearch/conf -cert /tmp/fa4.cer -key /tmp/fa4-2.pkcs8 -nhnv -h fa46.prod.exalead.com -icl -dg -si
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to fa46.prod.exalead.com:9300 ... done
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by io.netty.util.internal.ReflectionUtil (file:/usr/share/elasticsearch/plugins/search-guard-6/netty-common-4.1.16.Final.jar) to constructor java.nio.DirectByteBuffer(long,int)
WARNING: Please consider reporting this to the maintainers of io.netty.util.internal.ReflectionUtil
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{M5-vWvGnRIym2caktfFReA}{fa46.prod.exalead.com}{10.83.5.21:9300}]
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{M5-vWvGnRIym2caktfFReA}{fa46.prod.exalead.com}{10.83.5.21:9300}]]
	at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)
	at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)
	at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
	at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:371)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)
	at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:394)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:444)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)

In the ES log file, I see a lot of:

[2018-03-14T11:08:43,367][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] retval: CN=fa45.prod.exalead.com,OU=Exalead,O=Dassault Systemes

But I tried the same identity stored in a java's key store and got:

/usr/share/elasticsearch/plugins/search-guard-*/tools/sgadmin.sh -ts /tmp/fa4.jceks  -h fa44.prod.exalead.com -cn Sysop-Logstash -prompt -ks /tmp/fa4.jceks -ksalias 'alias'
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:563)
	at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:104)
	at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:105)
	at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:130)
	at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:262)
	at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:871)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:435)
	at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:488)
	at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554)
	... 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer: java.io.IOException: DerInputStream.getLength(): lengthTag=78, too big.]; nested: IOException[DerInputStream.getLength(): lengthTag=78, too big.];
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:276)
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
	at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193)
	at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:183)
	... 12 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=78, too big.
	at java.base/sun.security.util.DerInputStream.getLength(DerInputStream.java:606)
	at java.base/sun.security.util.DerValue.init(DerValue.java:390)
	at java.base/sun.security.util.DerValue.<init>(DerValue.java:331)
	at java.base/sun.security.util.DerValue.<init>(DerValue.java:344)
	at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1953)
	at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222)
	at java.base/java.security.KeyStore.load(KeyStore.java:1479)
	at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:238)
	... 15 more
@floragunncom

This comment has been minimized.

Copy link
Owner

commented Mar 14, 2018

First: Yes, the new zip is not supposed to be working, it only displays additional logs (pls post all of them like retval: CN=fa45.prod.exalead.com,OU=Exalead,O=Dassault Systemes)

Second: Do not run sgadmin or your nodes with Java 9, its not supported right now.

@fbacchella

This comment has been minimized.

Copy link
Author

commented Mar 14, 2018

Got it:

[2018-03-14T16:42:12,226][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] retval: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-14T16:42:12,227][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] dnString: O=Dassault Systemes, OU=Exalead, CN=Fabrice Bacchella, UID=FA4, EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-14T16:42:12,227][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] indexMailStart: 60
[2018-03-14T16:42:12,227][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] nmStart: 64
[2018-03-14T16:42:12,228][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] java.lang.StringIndexOutOfBoundsException: String index out of range: -82
java.lang.StringIndexOutOfBoundsException: String index out of range: -82
	at java.lang.String.substring(String.java:1967) ~[?:1.8.0_161]
	at com.floragunn.searchguard.ssl.transport.DefaultPrincipalExtractor.extractPrincipal(DefaultPrincipalExtractor.java:78) [search-guard-ssl-6.2.2-26.1-20180302.191301-1.jar:6.2.2-26.1-SNAPSHOT]
	at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:132) [search-guard-ssl-6.2.2-26.1-20180302.191301-1.jar:6.2.2-26.1-SNAPSHOT]
	at com.floragunn.searchguard.SearchGuardPlugin$6$1.messageReceived(SearchGuardPlugin.java:526) [search-guard-6-6.2.2-21.0.jar:6.2.2-21.0]
	at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:66) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1555) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:135) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1512) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1382) [elasticsearch-6.2.2.jar:6.2.2]
	at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:64) [transport-netty4-client-6.2.2.jar:6.2.2]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:310) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:297) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:413) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.logging.LoggingHandler.channelRead(LoggingHandler.java:241) [netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1336) [netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) [netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) [netty-handler-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) [netty-codec-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]
[2018-03-14T16:42:12,230][ERROR][c.f.s.t.SearchGuardRequestHandler] No SSL client certificates found for transport type netty. Search Guard needs the Search Guard SSL plugin to be installed
@floragunncom

This comment has been minimized.

@fbacchella

This comment has been minimized.

Copy link
Author

commented Mar 19, 2018

I got a:
404 - Path /com/floragunn/search-guard-6/6.x-HEAD-SNAPSHOT/search-guard-6-6.x-HEAD-20180316.165618-1471.zip not found in local storage of repository "Snapshots" [id=snapshots]

Path /com/floragunn/search-guard-6/6.x-HEAD-SNAPSHOT/search-guard-6-6.x-HEAD-20180316.165618-1471.zip not found in local storage of repository "Snapshots" [id=snapshots].
Does any snapshot latter than 20180316.165618 fits ?

@floragunncom

This comment has been minimized.

Copy link
Owner

commented Mar 19, 2018

@fbacchella

This comment has been minimized.

Copy link
Author

commented Mar 19, 2018

$ /usr/share/elasticsearch/plugins/search-guard-*/tools/sgadmin.sh -cacert /data/elasticsearch/conf/alldsca.crt -cd /data/elasticsearch/conf -cert /var/tmp/fa4.cer -key /var/tmp/fa4-2.pkcs8 -nhnv -h fa46.prod.exalead.com -icl -dg -si
Unable to check whether cluster is sane: no permissions for [cluster:monitor/nodes/info] and User [name=O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,EMAILADDRESS=fabrice.bacchella@3ds.com, roles=[], requestedTenant=null]

And in the logs:

[2018-03-19T11:40:41,465][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] retval: CN=fa45.prod.exalead.com,OU=Exalead,O=Dassault Systemes
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] retval: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] dnString: O=Dassault Systemes, OU=Exalead, CN=Fabrice Bacchella, UID=FA4, EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] indexMailStart: 60
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] nmStart: 64
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] endindexOld: -1
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] oldMail: #1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] endindexNew: -1
[2018-03-19T11:40:41,676][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] newMail: fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,677][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] inter1: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] retval: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] dnString: O=Dassault Systemes, OU=Exalead, CN=Fabrice Bacchella, UID=FA4, EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] indexMailStart: 60
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] nmStart: 64
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] endindexOld: -1
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] oldMail: #1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] endindexNew: -1
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] newMail: fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,941][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] inter1: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,955][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] retval: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,1.2.840.113549.1.9.1=#1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] dnString: O=Dassault Systemes, OU=Exalead, CN=Fabrice Bacchella, UID=FA4, EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] indexMailStart: 60
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] nmStart: 64
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] endindexOld: -1
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] oldMail: #1619666162726963652e6261636368656c6c61403364732e636f6d
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] endindexNew: -1
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] newMail: fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,956][ERROR][c.f.s.s.t.DefaultPrincipalExtractor] inter1: O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,EMAILADDRESS=fabrice.bacchella@3ds.com
[2018-03-19T11:40:41,956][INFO ][c.f.s.c.PrivilegesEvaluator] No cluster-level perm match for User [name=O=Dassault Systemes,OU=Exalead,CN=Fabrice Bacchella,UID=FA4,EMAILADDRESS=fabrice.bacchella@3ds.com, roles=[], requestedTenant=null] [IndexType [index=_all, type=*]] [Action [[cluster:monitor/nodes/info]]] [RolesChecked [sg_own_index]]

That's indeed an expected result. It works, thanks.

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Mar 19, 2018

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Mar 28, 2018

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Mar 28, 2018

Merge branch '6.1.0' into es-6.1.3
* 6.1.0:
  Fix Search-guard failed to parse my admin DN (floragunncom/search-guard#454)

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Mar 28, 2018

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Mar 28, 2018

Merge branch '6.2.0' into es-6.2.2
* 6.2.0:
  Fix Search-guard failed to parse my admin DN (floragunncom/search-guard#454)

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Mar 28, 2018

Merge branch '6.2.0' into es-6.2.1
* 6.2.0:
  Simplify principal extraction
  Fix Search-guard failed to parse my admin DN (floragunncom/search-guard#454)
@jochenkressin

This comment has been minimized.

Copy link
Collaborator

commented Apr 3, 2018

Fixed with the release of Search Guard v22 / Kibana Plugin v11 : https://docs.search-guard.com/latest/changelog-6-x-22

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Apr 26, 2018

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Apr 26, 2018

Merge branch '5.6.0' into es-5.6.8
* 5.6.0:
  Fix Search-guard failed to parse my admin DN (floragunncom/search-guard#454)

floragunncom added a commit to floragunncom/search-guard-ssl that referenced this issue Apr 26, 2018

Merge branch 'master' into 6.2.0
* master:
  fix several typos and grammar in error messages
  fix typo
  fix typo
  fix smoketest
  Simplify principal extraction
  bump to 6.2.2
  Fix Search-guard failed to parse my admin DN (floragunncom/search-guard#454)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.