New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

curl -XGET request on elasticsearch integrated with search-guard throws SSLException #58

Closed
RK-Druva opened this Issue Oct 11, 2015 · 8 comments

Comments

Projects
None yet
5 participants
@RK-Druva

RK-Druva commented Oct 11, 2015

I have installed search-guard plugin on elasticsearch and its working fine on https://localhost:9200
But when i am making a curl request on the server it throws exception

curl -XGET 'https://localhost:9200'
Client ERROR :

curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option

Server ERROR:

[2015-10-11 12:55:21,030][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Marvin Flumm] Caught exception while handling client http traffic, closing connection [id: 0x9015393f, /127.0.0.1:59106 => /127.0.0.1:9200]
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1220)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

I have generated the keystore and truststore via example-pki-scripts.

@triumph281

This comment has been minimized.

Show comment
Hide comment
@triumph281

triumph281 Oct 23, 2015

I have the same problem, Elasticsearch log like this
[2015-10-23 13:58:40,461][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Persuasion] Caught exception while handling client http traffic, closing connection [id: 0x4e7e9b8d, /0:0:0:0:0:0:0:1:63022 => /0:0:0:0:0:0:0:1:9200]
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[2015-10-23 14:01:43,746][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Persuasion] Caught exception while handling client http traffic, closing connection [id: 0xb8f5d979, /10.134.37.108:56738 => /10.137.163.26:9200]
javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1336)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:796)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

my Elasticsearch.yml:
searchguard.enabled: true
searchguard.key_path: /root/yinjj/elk/opt/es/keys
searchguard.check_for_root: false

#searchguard.allow_all_from_loopback: true
#searchguard.http.xforwardedfor.header: DUMMY

searchguard.ssl.transport.http.enabled: true
searchguard.ssl.transport.http.keystore_type: JKS
searchguard.ssl.transport.http.keystore_filepath: /root/yinjj/elk/opt/es/search-guard-es1.6/example-pki-scripts/node-0-keystore.jks
searchguard.ssl.transport.http.keystore_password: changeit

searchguard.ssl.transport.http.enforce_clientauth: true

searchguard.ssl.transport.http.truststore_type: JKS
searchguard.ssl.transport.http.truststore_filepath: /root/yinjj/elk/opt/es/search-guard-es1.6/example-pki-scripts/truststore.jks
searchguard.ssl.transport.http.truststore_password: changeit

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
#searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.NoRolesAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.clientcert.HTTPSClientCertAuthenticator

triumph281 commented Oct 23, 2015

I have the same problem, Elasticsearch log like this
[2015-10-23 13:58:40,461][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Persuasion] Caught exception while handling client http traffic, closing connection [id: 0x4e7e9b8d, /0:0:0:0:0:0:0:1:63022 => /0:0:0:0:0:0:0:1:9200]
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
[2015-10-23 14:01:43,746][WARN ][com.floragunn.searchguard.http.netty.SSLNettyHttpServerTransport] [Persuasion] Caught exception while handling client http traffic, closing connection [id: 0xb8f5d979, /10.134.37.108:56738 => /10.137.163.26:9200]
javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1336)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:796)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1218)
at org.elasticsearch.common.netty.handler.ssl.SslHandler.decode(SslHandler.java:852)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425)
at org.elasticsearch.common.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303)
at org.elasticsearch.common.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.elasticsearch.common.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:268)
at org.elasticsearch.common.netty.channel.Channels.fireMessageReceived(Channels.java:255)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337)
at org.elasticsearch.common.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89)
at org.elasticsearch.common.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178)
at org.elasticsearch.common.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108)
at org.elasticsearch.common.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

my Elasticsearch.yml:
searchguard.enabled: true
searchguard.key_path: /root/yinjj/elk/opt/es/keys
searchguard.check_for_root: false

#searchguard.allow_all_from_loopback: true
#searchguard.http.xforwardedfor.header: DUMMY

searchguard.ssl.transport.http.enabled: true
searchguard.ssl.transport.http.keystore_type: JKS
searchguard.ssl.transport.http.keystore_filepath: /root/yinjj/elk/opt/es/search-guard-es1.6/example-pki-scripts/node-0-keystore.jks
searchguard.ssl.transport.http.keystore_password: changeit

searchguard.ssl.transport.http.enforce_clientauth: true

searchguard.ssl.transport.http.truststore_type: JKS
searchguard.ssl.transport.http.truststore_filepath: /root/yinjj/elk/opt/es/search-guard-es1.6/example-pki-scripts/truststore.jks
searchguard.ssl.transport.http.truststore_password: changeit

searchguard.authentication.authentication_backend.impl: com.floragunn.searchguard.authentication.backend.simple.AlwaysSucceedAuthenticationBackend
#searchguard.authentication.authorizer.impl: com.floragunn.searchguard.authorization.simple.NoRolesAuthorizator
searchguard.authentication.http_authenticator.impl: com.floragunn.searchguard.authentication.http.clientcert.HTTPSClientCertAuthenticator

@ewolinetz

This comment has been minimized.

Show comment
Hide comment
@ewolinetz

ewolinetz Oct 23, 2015

Contributor

Can you try to set your searchguard.ssl.transport.http.enforce_clientauth to false and try this again?
Or use the -E or --cert flag with your curl request to specify the client certificate that would be trusted by the truststore you are using per your config?

Contributor

ewolinetz commented Oct 23, 2015

Can you try to set your searchguard.ssl.transport.http.enforce_clientauth to false and try this again?
Or use the -E or --cert flag with your curl request to specify the client certificate that would be trusted by the truststore you are using per your config?

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom May 1, 2016

Owner
curl --insecure \
     -E crt.pem \
     --key  key.pem

is what you need

Owner

floragunncom commented May 1, 2016

curl --insecure \
     -E crt.pem \
     --key  key.pem

is what you need

@robertchen

This comment has been minimized.

Show comment
Hide comment
@robertchen

robertchen Jan 25, 2017

can you please give a detail example which crt, key I should use (generated from example-pki.scripts)?

curl --insecure -E kirk-signed.pem --key kirk.key.pem https://10.8.8.246:9200/_cat/indices?v
Unauthorized

robertchen commented Jan 25, 2017

can you please give a detail example which crt, key I should use (generated from example-pki.scripts)?

curl --insecure -E kirk-signed.pem --key kirk.key.pem https://10.8.8.246:9200/_cat/indices?v
Unauthorized

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom Jan 25, 2017

Owner

Please post the output of curl -V

Owner

floragunncom commented Jan 25, 2017

Please post the output of curl -V

@robertchen

This comment has been minimized.

Show comment
Hide comment
@robertchen

robertchen Jan 25, 2017

[root@ip-10-8-8-246 example-pki-scripts]# curl -V
curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 NSS/3.21 Basic ECC zlib/1.2.8 libidn/1.18 libpsl/0.6.2 (+libicu/50.1.2) libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets PSL

robertchen commented Jan 25, 2017

[root@ip-10-8-8-246 example-pki-scripts]# curl -V
curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 NSS/3.21 Basic ECC zlib/1.2.8 libidn/1.18 libpsl/0.6.2 (+libicu/50.1.2) libssh2/1.4.2
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz UnixSockets PSL

@floragunncom

This comment has been minimized.

Show comment
Hide comment
@floragunncom

floragunncom Jan 25, 2017

Owner

try curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

see https://groups.google.com/d/topic/search-guard/lIDWvqebBBA/discussion

Owner

floragunncom commented Jan 25, 2017

try curl --insecure -E ./kirk-signed.pem --key ./kirk.key.pem https://10.8.8.246:9200/_cat/indices?v

see https://groups.google.com/d/topic/search-guard/lIDWvqebBBA/discussion

@robertchen

This comment has been minimized.

Show comment
Hide comment
@robertchen

robertchen Jan 25, 2017

works, thanks!

robertchen commented Jan 25, 2017

works, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment