curl: (60) SSL certificate problem: unable to get local issuer certificate

[pat...@amatc.com.au]

Elasticsearch - 5.6.13

Search Guard - search-guard-5:5.6.13-19.2

Java - openjdk version "1.8.0_191"

Ubuntu 18.04

Certificates created on https://search-guard.com/tls-certificate-generator/ as localhost and install runs without error, do I need to add root cert elsewhere ?

curl -u admin:admin -XGET 'https://localhost:9300'curl: (60) SSL certificate problem: unable to get local issuer certificateMore details here: https://curl.haxx.se/docs/sslcerts.htmlcurl failed to verify the legitimacy of the server and therefore could notestablish a secure connection to it. To learn more about this situation andhow to fix it, please visit the web page mentioned above

searchguard.ssl.transport.enabled: truesearchguard.ssl.transport.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.transport.keystore_password: xxxxsearchguard.ssl.transport.truststore_filepath: truststore.jkssearchguard.ssl.transport.truststore_password: xxxxsearchguard.ssl.transport.enforce_hostname_verification: falsesearchguard.ssl.http.enabled: truesearchguard.ssl.http.keystore_filepath: CN=localhost-keystore.jkssearchguard.ssl.http.keystore_password: xxxxsearchguard.ssl.http.truststore_filepath: truststore.jkssearchguard.ssl.http.truststore_password: xxxxsearchguard.authcz.admin_dn: - CN=sgadminsearchguard.ssl.http.clientauth_mode: OPTIONAL

When asking questions, please provide the following information:

* Search Guard and Elasticsearch version

* Installed and used enterprise modules, if any

* JVM version and operating system version

* Search Guard configuration files

* Elasticsearch log messages on debug level

* Other installed Elasticsearch or Kibana plugins, if any

[Search Guard]

 Try

curl -k -u admin:admin -XGET 'https://localhost:9200' (not recommended)

or

curl --cacert root-ca.pem -u admin:admin -XGET 'https://localhost:9200' (recommended)

(Note: The http/s port is normally 9200 and not 9300. 9300 is the port where the nodes talsk to each other with a binary TCP based protocol, called transport protocol)

[pat...@amatc.com.au]

This works - curl --cacert root-ca.pem -u admin:admin -XGET 'https://localhost:9200'

So it works without specifying the cacert do I install it somewhere or change from keystore cert config to pem ?

[SG]

Sorry, but i don't understand ...

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/8fc51c9f-71f9-4b11-ae0d-110eb3d8b0e5%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[pat...@amatc.com.au]

I mean to install the root cert so that the other certs are trusted, I have done this using:

cp root-ca.crt /usr/local/share/ca-certificates/

sudo update-ca-certificates

I still get error for local issuer certificate

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:

[Search Guard]

Not sure if curl/php picks up the certs in /usr/local/share/ca-certificates/

Especially curl is tricky, maybe its compiled against NSS. You can check this with curl -V

For php question is the same, guess it depends on against which SSL library it was compiled

But thats not really Search Guard related ;-)

On Tuesday, 11 December 2018 23:17:10 UTC+1:

[pat...@amatc.com.au]

Then how to get trusted certificates for search guard ?

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:

[SG]

If you need "offical" ssl certs you need to buy them (Verisign etc) or use letsencrypt.
But all the SSL stuff is really not Search Guard specific.

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c6f033d1-9525-4741-a2d9-522eb819ae66%40googlegroups.com.

[pat...@amatc.com.au]

I think it is because I can't connect when ssl enabled.

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote:

[pat...@amatc.com.au]

I fixed it, I added pem in php.ini under curl.cainfo = /etc/ssl/cacert.pem

I downloaded the https://curl.haxx.se/docs/caextract.html

I added the root-ca.pem created by the certificate generator at the end of the file i downloaded and uploaded it to /etc/ssl/ directory.

:)

On Wednesday, December 12, 2018 at 12:06:39 AM UTC+11, pat...@amatc.com.au wrote: