SSL Connection Problem between Logstash and ElasticSearch with SearchGuard
1,321 views
Skip to first unread message
Andrés González
Dec 28, 2017, 6:10:09 PM12/28/17
to Search Guard Community Forum
Hello. We are evaluating Searchguard for our Security needs. I am trying to setup SSL between Logstash and Elasticsearch, however I get an error and the connected cannot be established. I am using the default configurations provided in searchguard plugins and also generated my certificates with the Online plugin provided by SearchGuard itself.
Any help would be really appreciated.
* Search Guard and Elasticsearch version
ES Version: 5.6.5
Search Guard Version: 5.6.5-18
Logstash Version: 5.6.5
* JVM version and operating system version:
JVM: 8
OS: Windows 10 Pro 64-bit
* Logstash Conf File:
input { stdin { } }
output {
elasticsearch {
user => logstash
password => logstash
hosts => "131.101.126.39"
ssl => true
ssl_certificate_verification => false
}
}
* Elasticsearch log messages on debug level
[2017-12-28T17:04:59,667][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [RSY_Ban] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_151]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[netty-handler-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_151]
Search Guard
Dec 29, 2017, 4:14:34 PM12/29/17
to Search Guard Community Forum
Can you pls. post you elasticsearch.yml?
Can you access elasticsearch with a curl command like:
curl -kSsvv https://131.101.126.39:9200/ -u logstash:logstash
Omar mézrag
Dec 30, 2017, 8:54:39 AM12/30/17
to Search Guard Community Forum
Hi,
I have the same issue,
here are my curl output
# curl -kSsvv https://10.30.192.201:9200/ -u logstash:logstash
* Trying 10.30.192.201...
* Connected to 10.30.192.201 (10.30.192.201) port 9200 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: node-0.example.com (does not match '10.30.192.201')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=DE,L=Test,O=Test,OU=SSL,CN=node-0.example.com
* start date: Wed, 04 May 2016 20:45:28 GMT
* expire date: Fri, 04 May 2018 20:45:28 GMT
* issuer: DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Signing CA,CN=Example Com Inc. Signing CA
* compression: NULL
* ALPN, server did not agree to a protocol
* Server auth using Basic with user 'logstash'
> GET / HTTP/1.1
> Host: 10.30.192.201:9200
> Authorization: Basic bG9nc3Rhc2g6bG9nc3Rhc2g=
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 434
<
{
"name" : "node-1",
"cluster_name" : "searchguard_demo",
"cluster_uuid" : "Mr3CNnx8TZC0Z9bCiDP9eQ",
"version" : {
"number" : "6.1.0",
"build_hash" : "c0c1ba0",
"build_date" : "2017-12-12T12:32:54.550Z",
"build_snapshot" : false,
"lucene_version" : "7.1.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
* Connection #0 to host 10.30.192.201 left intact
--------------- and here my logstash output conf
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["https://10.30.192.201:9200","https://10.30.192.202:9200","https://10.30.192.203:9200"]
I have the same issue,
here are my curl output
# curl -kSsvv https://10.30.192.201:9200/ -u logstash:logstash
* Trying 10.30.192.201...
* Connected to 10.30.192.201 (10.30.192.201) port 9200 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification SKIPPED
* server certificate status verification SKIPPED
* common name: node-0.example.com (does not match '10.30.192.201')
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=DE,L=Test,O=Test,OU=SSL,CN=node-0.example.com
* start date: Wed, 04 May 2016 20:45:28 GMT
* expire date: Fri, 04 May 2018 20:45:28 GMT
* issuer: DC=com,DC=example,O=Example Com Inc.,OU=Example Com Inc. Signing CA,CN=Example Com Inc. Signing CA
* compression: NULL
* ALPN, server did not agree to a protocol
* Server auth using Basic with user 'logstash'
> GET / HTTP/1.1
> Host: 10.30.192.201:9200
> Authorization: Basic bG9nc3Rhc2g6bG9nc3Rhc2g=
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 434
<
{
"name" : "node-1",
"cluster_name" : "searchguard_demo",
"cluster_uuid" : "Mr3CNnx8TZC0Z9bCiDP9eQ",
"version" : {
"number" : "6.1.0",
"build_hash" : "c0c1ba0",
"build_date" : "2017-12-12T12:32:54.550Z",
"build_snapshot" : false,
"lucene_version" : "7.1.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
* Connection #0 to host 10.30.192.201 left intact
--------------- and here my logstash output conf
output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => ["https://10.30.192.201:9200","https://10.30.192.202:9200","https://10.30.192.203:9200"]
user => "logstash"
password => "logstash"
password => "logstash"
ssl => "true"
ssl_certificate_verification => "false"
ssl_certificate_verification => "false"
index => "fortinet-%{+YYYY.MM.dd}"
Search Guard
Dec 30, 2017, 2:51:42 PM12/30/17
to Search Guard Community Forum
you have to configure "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.
Florent LEPOUTRE
Mar 13, 2018, 4:38:59 PM3/13/18
to Search Guard Community Forum
Hi,
I have exactly the same problem as Andrés.
And when I add "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf, the error "SSL Problem Received fatal alert: certificate_unknown" disappears but I have a new error that seems to indicate that Logstash is trying to communicate with Elasticsearch in HTTP instead of HTTPS.
I used the online generator to generate all certificate (https://search-guard.com/tls-certificate-generator/).
Do you have any idea ?
Regards,
SG
Mar 16, 2018, 10:58:47 AM3/16/18
to search...@googlegroups.com
https://groups.google.com/forum/#!searchin/search-guard/ssl_certificate_verification%7Csort:date/search-guard/3jBVTin7ymY/EreVEMG7CAAJ
you have to configure "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.
See also http://docs.search-guard.com/latest/logstash#using-search-guard-with-logstash
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/738e502b-21af-40a8-ad3e-d98b06499bf5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
you have to configure "cacert" or "truststore" on the elasticsearch output plugin in logstash.conf
ssl_certificate_verification is only about hostname verification but not about trusting ever certificate.
See also http://docs.search-guard.com/latest/logstash#using-search-guard-with-logstash
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/738e502b-21af-40a8-ad3e-d98b06499bf5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages