[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]
md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743
md5sum /etc/elastalert/ca-bundle.pem b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pem
searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: true
es_host: elastic-master-01.x-x.com
es_port: 9200
es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem
It looks like it doesn't really handle TLS certs / keys, we have modified the elastalert code in order to get around this.You can close this :)
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.
es_host: elastic-master-01.x-x.com
es_port: 9200
es_username: x
es_password: x
use_ssl: True
verify_certs: True
client_cert: /etc/elastalert/elastic-admin.pem
client_key: /etc/elastalert/elastic-admin-key.pem
ca_certs: /etc/elastalert/ca-bundle.pem