DN with a comma seems to trip up search guard
24 views
Skip to first unread message
Peter K
Dec 27, 2018, 4:48:07 PM12/27/18
to Search Guard Community Forum
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version: 5.4.1
* Installed and used enterprise modules, if any: none
* JVM version and operating system version: JVM: 1.8.0, Centos 7.6
* Other installed Elasticsearch or Kibana plugins, if any: ingest-geoip, ingest-user-agent
I'm trying to install Search Guard. I'm to the point where I run sgadmin.sh --enable-shard-allocation. I get:
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to localhost:9300 ... done
Unable to check whether cluster is sane: Cannot authenticate null
Connected as EMAILADDRESS=ish...@xxpq.com,CN=*.xxpq.com,O=Xxpqs\, Inc.,L=Washington,ST=District of Columbia,C=US
ERR: EMAILADDRESS=ish...@xxpq.com,CN=*.xxpq.com,O=Xxpq\, Inc.,L=Washington,ST=District of Columbia,C=US is not an admin user
Seems you use a client certificate but this one is not registered as admin_dn
Make sure elasticsearch.yml on all nodes contains:
searchguard.authcz.admin_dn:
- "EMAILADDRESS=ish...@xxpq.com,CN=*.xxpq.com,O=Xxpq\, Inc.,L=Washington,ST=District of Columbia,C=US"
Please note that if add the setting exactly as specified, elasticscearch will not start, with the error:
Transport authentication finally failed for EMAILADDRESS=ish...@xxpq.com,CN=*.xxpq.com,O=Xxpq\, Inc.,L=Washington,ST=District of Columbia,C=US from 127.0.0.1:58450
The issue seems to be the comma. If I don't escape it, elasticsearch starts, but sgadmin.sh complains with the error above.
# grep admin_dn /etc/elasticsearch/elasticsearch.yml
searchguard.authcz.admin_dn: [ "EMAILADDRESS=ish...@xxpq.com,CN=*.xxpq.com,O=Xxpq, Inc.,L=Washington,ST=District of Columbia,C=US" ]
So it's a catch 22 situation. Any suggestions?
Search Guard
Dec 27, 2018, 5:11:11 PM12/27/18
to Search Guard Community Forum
Which exact Search Guard and Elasticsearch version you are running?
You mentioned 5.4.1 but sgadmin reported 6.x?
Peter K
Dec 28, 2018, 10:04:28 AM12/28/18
to Search Guard Community Forum
Ooops... a brainfart... Running 6.5.4, RPM install:
[root@elk02-dev ~]# rpm -q elasticsearch
elasticsearch-6.5.4-1.noarch
SG
Jan 3, 2019, 5:19:16 AM1/3/19
to search...@googlegroups.com
Can you post the output of
openssl x509 -in admincert.pem -text -noout
and your elasticsearch.yml (as attachment)
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9525bab8-3092-42d1-81bc-824374b205a4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
openssl x509 -in admincert.pem -text -noout
and your elasticsearch.yml (as attachment)
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9525bab8-3092-42d1-81bc-824374b205a4%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages