Try to connect with a ssl node certificate instead of an admin client certificate

[mirko spezie]

Hi,

I've just upgraded my ES from 5.5 to 5.6.2 but when I'm trying to launch sgadmin I've got this error:

ERR: You try to connect with a ssl node certificate instead of an admin client certificate
This may have worked in previous versions of Search Guard but is now forbidden
For more informations look here: https://github.com/floragunncom/search-guard-docs/blob/master/sgadmin.md#configuring-the-admin-certificate

I've generated all the certificates from the certificate generator webpage

# cat /etc/elasticsearch/elasticsearch.yml 

cluster.name: quicollectdev

node.name: qcmidev.inetworking.it

network.host: localhost

bootstrap.memory_lock: true

node.master: 1

node.data: 1

transport.tcp.port: 9300

http.port: 9200

discovery.zen.ping.unicast.hosts: ["192.168.*.*"]

searchguard.ssl.transport.enable_openssl_if_available: false

searchguard.ssl.transport.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.transport.keystore_password: password-generated

searchguard.ssl.transport.truststore_filepath: truststore.jks

searchguard.ssl.transport.truststore_password: password-generated

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.transport.resolve_hostname: false

searchguard.ssl.http.enabled: false

searchguard.ssl.http.truststore_filepath: truststore.jks

searchguard.ssl.http.truststore_password: password-generated

searchguard.ssl.http.keystore_filepath: CN=qcmi03.inetworking.it-keystore.jks

searchguard.ssl.http.keystore_password: password-generated

searchguard.authcz.admin_dn:

  - CN=sgadmin

this is the diagnose https://pastebin.com/90ukyZK6

I've placed the sgadmin-keystore and the truststore in plugins/search-guard-5/tools path:

[root@qcmidev tools]# pwd

/usr/share/elasticsearch/plugins/search-guard-5/tools

[root@qcmidev tools]# ll

total 576

-rw-r--r-- 1 elasticsearch elasticsearch   4060  4 ott 15.59 CN=sgadmin-keystore.jks

-rw-r--r-- 1 root          root             214  4 ott 11.43 hash.bat

-rwxr-xr-x 1 root          root             373  4 ott 11.43 hash.sh

-rwxr-xr-x 1 root          root           18449  4 ott 11.43 install_demo_configuration.sh

-rw-r--r-- 1 root          root             282  4 ott 11.43 sgadmin.bat

-rw-r--r-- 1 root          root          542883  4 ott 16.21 sgadmin_diag_trace_2017-Oct-04_16-21-25.txt

-rwxr-xr-x 1 root          root             414  4 ott 11.43 sgadmin.sh

-rw-r--r-- 1 elasticsearch elasticsearch    972  4 ott 15.59 truststore.jks

I've searched for a solution around but nothing. Any help is really appreciated

[Search Guard]

how do you call sgadmin.sh? pls. post the full command. 

[mirko spezie]

# pwd

/usr/share/elasticsearch/plugins/search-guard-5/tools

# sgadmin.sh -ts truststore.jks -tspass ************** -ks sgadmin-keystore.jks -kspass *************** -nhnv -icl -cd ../sgconfig/

[SG]

It should more look like

sgadmin.sh -ts truststore.jks -tspass ************** -ks "CN=sgadmin-keystore.jks" -kspass *************** -nhnv -icl -cd ../sgconfig/

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/9601d647-dc5c-45a3-8dc7-9934c2e971d7%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.