Hello there.
Yesterday I setup the Serch-guard on ELK cluster after going through so many issues with the keys and certificates.
It was due to that the only pkcs8 keys were supported.. I'm on the last Search Guard version, Version: 6.x-23.
Anyway, it worked yesterday I was able to send logs from the client via filebeat and the data showing on Kibana.
I shut down the cluster and shut down the AWS instances (Elassticsearch and kibana on one node, logstash on another node).
Today, I started the AWS instances and started the cluster, checked that all ELK were up and running, but when I used the same credential(the default admin)
But I wasn't able to log on saying "The Search Guard license information could not be loaded. Please contact your system administrator."
Here is my sg_config.yml:
searchguard:
dynamic:
authc:
clientcert_auth_domain:
http_enabled: true
order: 1
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
========================
Elasticsearch started fine and I can access on :https://<elasticnode IP>:9200 and got:
{
"name" : "node1",
"cluster_name" : "hls-test-elk",
"cluster_uuid" : "A_9Ls_hiSzKM34WZ7Rjxnw",
"version" : {
"number" : "6.3.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "053779d",
"build_date" : "2018-07-20T05:20:23.451332Z",
"build_snapshot" : false,
"lucene_version" : "7.3.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
============================
./tools/sgadmin.sh -cd sgconfig/ -cacert /etc/elasticsearch/root-ca.pem -cert /etc/elasticsearch/node1.pem -key /etc/elasticsearch/node1.key -nhnv -h <elastic.IP> -cn hls-test-elk
WARNING: JAVA_HOME not set, will use /bin/java
Search Guard Admin v6
Will connect to <elastic.IP>:9300 ... done
01:26:01.556 [main] ERROR com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore - Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.
ERR: An unexpected IllegalStateException occured: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
Trace:
java.lang.IllegalStateException: failed to load plugin class [com.floragunn.searchguard.SearchGuardPlugin]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:701)
at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:114)
at org.elasticsearch.client.transport.TransportClient.newPluginService(TransportClient.java:107)
at org.elasticsearch.client.transport.TransportClient.buildTemplate(TransportClient.java:132)
at org.elasticsearch.client.transport.TransportClient.<init>(TransportClient.java:269)
at com.floragunn.searchguard.tools.SearchGuardAdmin$TransportClientImpl.<init>(SearchGuardAdmin.java:886)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:441)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:692)
... 7 more
Caused by: ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/node1.key]; nested: IllegalArgumentException[File does not contain valid private key: /etc/elasticsearch/node1.key]; nested: InvalidKeySpecException[Neither RSA, DSA nor EC worked]; nested: InvalidKeySpecException[java.security.InvalidKeyException: IOException : DER input, Integer tag error]; nested: InvalidKeyException[IOException : DER input, Integer tag error];
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:292)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145)
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193)
at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:197)
... 12 more
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: /etc/elasticsearch/node1.key
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267)
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613)
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:287)
... 15 more
Caused by: java.security.spec.InvalidKeySpecException: Neither RSA, DSA nor EC worked
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1045)
at io.netty.handler.ssl.SslContext.toPrivateKey(SslContext.java:1014)
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:265)
... 18 more
Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : DER input, Integer tag error
at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:169)
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
at io.netty.handler.ssl.SslContext.getPrivateKeyFromByteBuffer(SslContext.java:1043)
... 20 more
Caused by: java.security.InvalidKeyException: IOException : DER input, Integer tag error
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:352)
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:357)
at sun.security.ec.ECPrivateKeyImpl.<init>(ECPrivateKeyImpl.java:73)
at sun.security.ec.ECKeyFactory.implGeneratePrivate(ECKeyFactory.java:237)
at sun.security.ec.ECKeyFactory.engineGeneratePrivate(ECKeyFactory.java:165)
... 22 more
==============================
I've changed the node1.key using "openssl pkcs8 topk8 -in node1.key -out node1-pkcs8.key" and didn't work. the sg-internal-users.yml has never been changed.
Please help and let us know what's next....
Thank you very much in advance
LI