Configuring CA Bundle with Elastalert > SearchGuard
365 views
Skip to first unread message
anthony...@actual-experience.com
Aug 16, 2017, 9:34:43 AM8/16/17
to Search Guard Community Forum
Hello, I am trying to setup Elastalert, following this guide:
I appreciate this isn't your software, but I was curious as to if you had any advice?
And am running into an issue:
[2017-08-16T13:24:44,968][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [elastic-master-01.x-x.com] SSL Problem Received fatal alert: unknown_ca
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_131]Now, the ca-bundle I am providing is exactly the same as what is configured on the Elastic master I am trying to talk to:
md5sum /etc/elasticsearch/elastic-master-01x/ca-bundle.pem
b72ec81db7ee1831232020df0a807743
md5sum /etc/elastalert/ca-bundle.pem b72ec81db7ee1831232020df0a807743 /etc/elastalert/ca-bundle.pemThe configuration I have inside ES is:
searchguard.ssl.transport.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.transport.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.transport.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.transport.pemkey_password: x
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemkey_filepath: elastic-nodes-key.pkcs8
searchguard.ssl.http.pemcert_filepath: elastic-master-01.x-x.com.pem
searchguard.ssl.http.pemtrustedcas_filepath: ca-bundle.pem
searchguard.ssl.http.pemkey_password: x
searchguard.authcz.admin_dn:
- CN=elastic-admin,OU=Systems/DevOps,O=x x plc,L=x,C=GB
searchguard.nodes_dn:
- CN=elastic-node-01.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=elastic-node-02.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
- CN=*.x-x.com,OU=Systems/DevOps,O=x x x,L=x,C=GB
network.publish_host: elastic-master-01.x-x.com
searchguard.ssl.transport.enforce_hostname_verification: trueAnd then the Elastalert config:
es_host: elastic-master-01.x-x.com
es_port: 9200
es_username: x
es_password: x
use_ssl: True
verify_certs: True
ca_certs: /etc/elastalert/ca-bundle.pem
I appreciate this isn't your software, but I was curious as to if you had any advice?
anthony...@actual-experience.com
Aug 16, 2017, 11:36:36 AM8/16/17
to Search Guard Community Forum
It looks like it doesn't really handle TLS certs / keys, we have modified the elastalert code in order to get around this.
You can close this :)
Search Guard
Aug 16, 2017, 12:13:29 PM8/16/17
to Search Guard Community Forum
Can you publish your code changes/sulution (or even better commit them back to the elastalert project?)
It looks like it doesn't really handle TLS certs / keys, we have modified the elastalert code in order to get around this.You can close this :)
Anthony Cleaves
Aug 16, 2017, 12:16:27 PM8/16/17
to search...@googlegroups.com
I will look at doing that tomorrow, it looks like a similar pull request is already in their repo waiting for a merge.
I will check with my boss and then get back to you tomorrow.
--
You received this message because you are subscribed to a topic in the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/in-u2k-KfMk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.
Anthony Cleaves
Actual Experience plc
Registered Office: Actual Experience plc
Quay House, The Ambury, Bath BA1 1UA,
Registered No. 06838738, VAT No. 971 9696 56
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.
SG
Aug 16, 2017, 12:19:14 PM8/16/17
to search...@googlegroups.com
great !, thx
> To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Anthony Cleaves
> Actual Experience plc
> www.actual-experience.com | @actualexp | LinkedIn
>
> Registered Office: Actual Experience plc
> Quay House, The Ambury, Bath BA1 1UA,
> Registered No. 06838738, VAT No. 971 9696 56
>
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.
>
>
>
> --
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4fe03ba2-2e42-4aa4-a49e-051fbe4ebb93%40googlegroups.com.
>
> For more options, visit https://groups.google.com/d/optout.
>
>
>
> --
> Anthony Cleaves
> Actual Experience plc
> www.actual-experience.com | @actualexp | LinkedIn
>
> Registered Office: Actual Experience plc
> Quay House, The Ambury, Bath BA1 1UA,
> Registered No. 06838738, VAT No. 971 9696 56
>
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. Although we routinely screen for viruses, addressees should check this e-mail and any attachment for viruses. We make no warranty as to absence of viruses in this e-mail or any attachments.
>
>
>
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/CAB-OqLFCxAnAN3pyv7E0fAp1691kfMHLsrvc9wvjQD8k5jDwLg%40mail.gmail.com.
anthony...@actual-experience.com
Aug 16, 2017, 2:38:06 PM8/16/17
to Search Guard Community Forum
SG
Aug 16, 2017, 3:19:32 PM8/16/17
to search...@googlegroups.com
:-)
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/4db9b10d-c1ce-440f-a369-816d0885787b%40googlegroups.com.
anthony...@actual-experience.com
Aug 17, 2017, 3:31:47 AM8/17/17
to Search Guard Community Forum
You can now update that documentation,
Elastalert now accepts, client cert and key.
The following works with me for searchguard.
es_host: elastic-master-01.x-x.com
es_port: 9200
es_username: x
es_password: x
use_ssl: True
verify_certs: True
client_cert: /etc/elastalert/elastic-admin.pem
client_key: /etc/elastalert/elastic-admin-key.pem
ca_certs: /etc/elastalert/ca-bundle.pemReply all
Reply to author
Forward
0 new messages