Search guard config
67 views
Skip to first unread message
Sundeep
Dec 11, 2018, 7:52:10 PM12/11/18
to Search Guard Community Forum
When asking questions, please provide the following information:
* Search Guard and Elasticsearch version
* Installed and used enterprise modules, if any
* JVM version and operating system version
* Search Guard configuration files
* Elasticsearch log messages on debug level
* Other installed Elasticsearch or Kibana plugins, if any
Search Guard: 6.2.3-23
Elastic: 6.2.3
Java: 1.8.0
We are trying to use search guard with elastic search and would need some guidance/help for the following issues.
-Can we use self-signed certificates for transport layer and if we do that what should be the value of `searchguard.ssl.transport.pemtrustedcas_filepath`, search guard does not start if is unset or set to the same cert, because it is self signed.
Caused by: java.lang.IllegalArgumentException: File does not contain valid private key: Xxxxx.pem
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:267) ~[?:?]
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:90) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.buildSSLServerContext(DefaultSearchGuardKeyStore.java:613) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.initSSLConfig(DefaultSearchGuardKeyStore.java:405) ~[?:?]
at com.floragunn.searchguard.ssl.DefaultSearchGuardKeyStore.<init>(DefaultSearchGuardKeyStore.java:145) ~[?:?]
at com.floragunn.searchguard.ssl.SearchGuardSSLPlugin.<init>(SearchGuardSSLPlugin.java:193) ~[?:?]
at com.floragunn.searchguard.SearchGuardPlugin.<init>(SearchGuardPlugin.java:197) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_181-b13]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:554) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:505) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:422) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.plugins.PluginsService.<init>(PluginsService.java:146) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.node.Node.<init>(Node.java:303) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.node.Node.<init>(Node.java:246) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:213) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.3.jar:6.2.3]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.3.jar:6.2.3]
... 6 more
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:257) ~[?:?]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:314) ~[?:?]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_181]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[?:1.8.0_181-b13]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:132) ~[?:?]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:114) ~[?:?]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:372) ~[?:?]
at javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:95) ~[?:1.8.0_181]
at io.netty.handler.ssl.SslContext.generateKeySpec(SslContext.java:978) ~[?:?]
-We want to only use internal_users and wanted to know how we can change password after setup is complete. In the sense if we change sg_internal_users.yml with the new password, elastic server restart does not reflect the change, the only way is to change index.
admin:
hash: $2a$12$VcCDgh2NDk07JGN0rjGbM.Ad41qVR/YFJcgHp0UGns5JDymv..TOG
roles:
- admin
attributes:
Is there a way to achieve this without running sgadmin? Does sgadmin need a running instance of elastic server to make this change?
-Fresh install of search guard and I see the following error
Exception in thread "main" java.lang.NoClassDefFoundError: org/elasticsearch/client/transport/NoNodeAvailableException
at java.lang.Class.getDeclaredMethods0(Native Method)
at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
at java.lang.Class.privateGetMethodRecursive(Class.java:3048)
at java.lang.Class.getMethod0(Class.java:3018)
at java.lang.Class.getMethod(Class.java:1784)
at sun.launcher.LauncherHelper.validateMainClass(LauncherHelper.java:544)
at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:526)
Caused by: java.lang.ClassNotFoundException: org.elasticsearch.client.transport.NoNodeAvailableException
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
Thanks
pat...@amatc.com.au
Dec 11, 2018, 8:07:01 PM12/11/18
to Search Guard Community Forum
The chain including root used to sign the cert, sgadming wont run if node not running.
I just did this myself, you also need to add the root cert to php.ini config so curl will work.
Sundeep
Dec 11, 2018, 8:16:16 PM12/11/18
to Search Guard Community Forum
What is the root when it is self signed? I just have the cert file and its private key.
pat...@amatc.com.au
Dec 11, 2018, 8:17:55 PM12/11/18
to Search Guard Community Forum
Did you sign it yourself ?
On Wednesday, December 12, 2018 at 11:52:10 AM UTC+11, Sundeep wrote:
Sundeep
Dec 11, 2018, 8:23:10 PM12/11/18
to Search Guard Community Forum
Yes.. This is the command we ran
openssl req -new -newkey rsa:2048 -x509
-days 365
-subj /CN=ElasticSearch
-keyout elasticserver.key
-out elasticserver.crt
-config apache\conf\openssl.cnf
-passout keyPass.txt
pat...@amatc.com.au
Dec 11, 2018, 8:30:26 PM12/11/18
to Search Guard Community Forum
Hi,
Use this put localhost if just one server, works for me dont use pem use keystore config at the bottom, works out of the box.
On Wednesday, December 12, 2018 at 11:52:10 AM UTC+11, Sundeep wrote:
Search Guard
Dec 12, 2018, 12:38:18 AM12/12/18
to Search Guard Community Forum
Sundeep
Dec 12, 2018, 3:19:12 PM12/12/18
to Search Guard Community Forum
I used the tool to generate only root, node certificates and added the necessary config to elastic search, but when I run sgadmin I get the following error. Does sgadmin needs the new root and node cert at a particular location for it to work?
My elastic search node works fine..
> plugins\search-guard-6\tools\sgadmin.bat -cert config\kirk.pem -cacert config\root-ca.pem -nhnv -icl -key config\kirk-key.pem -cd plugins\search-guard-6\sgconfig -p 8330
Search Guard Admin v6
WARNING: Seems you want connect to the Elasticsearch HTTP port.
sgadmin connects on the transport port which is normally 9300.
Will connect to 127.0.0.1:8330 ... done
Unable to check whether cluster is sane: None of the configured nodes are available: [{#transport#-1}{qGdkaU6ZQ9WpQz4tQYQCEQ}{127.0.0.1}{127.0.0.1:8330}]
12:14:35.765 [elasticsearch[_client_][transport_client_boss][T#1]] ERROR com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport - SSL Problem General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:1.8.0_181-b13]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_181-b13]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802) ~[?:1.8.0_181-b13]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:1.8.0_181-b13]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181-b13]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181-b13]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_181-b13]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:1.8.0_181-b13]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1620) ~[?:1.8.0_181-b13]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_181-b13]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_181-b13]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
... 19 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:1.8.0_181-b13]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:1.8.0_181-b13]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_181-b13]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_181-b13]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_181-b13]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_181-b13]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1607) ~[?:1.8.0_181-b13]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_181-b13]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_181-b13]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:1.8.0_181-b13]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:1.8.0_181-b13]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_181-b13]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:1.8.0_181-b13]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:1.8.0_181-b13]
at sun.security.validator.Validator.validate(Validator.java:262) ~[?:1.8.0_181-b13]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_181-b13]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[?:1.8.0_181-b13]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[?:1.8.0_181-b13]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1607) ~[?:1.8.0_181-b13]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_181-b13]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_181-b13]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_181-b13]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
... 19 more
ERR: Cannot connect to Elasticsearch. Please refer to elasticsearch logfile for more information
Trace:
NoNodeAvailableException[None of the configured nodes are available: [{#transport#-1}{qGdkaU6ZQ9WpQz4tQYQCEQ}{127.0.0.1}{127.0.0.1:8330}]]
at org.elasticsearch.client.transport.TransportClientNodesService.ensureNodesAreAvailable(TransportClientNodesService.java:347)
at org.elasticsearch.client.transport.TransportClientNodesService.execute(TransportClientNodesService.java:245)
at org.elasticsearch.client.transport.TransportProxyClient.execute(TransportProxyClient.java:60)
at org.elasticsearch.client.transport.TransportClient.doExecute(TransportClient.java:371)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:405)
at org.elasticsearch.client.support.AbstractClient.execute(AbstractClient.java:394)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main0(SearchGuardAdmin.java:450)
at com.floragunn.searchguard.tools.SearchGuardAdmin.main(SearchGuardAdmin.java:123)
This is the error on elastic search side.
[2018-12-12T12:05:11,627][INFO ][c.f.s.SearchGuardPlugin ] ES Config path is elasticserver
[2018-12-12T12:05:11,692][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] OpenSSL not available (this is not an error, we simply fallback to built-in JDK SSL) because of java.lang.ClassNotFoundException: io.netty.internal.tcnative.S
[2018-12-12T12:05:11,833][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Config directory is elasticserver/, from there the key- and truststore files are resolved relatively
[2018-12-12T12:05:11,960][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Client Provider : JDK
[2018-12-12T12:05:11,961][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS Transport Server Provider : JDK
[2018-12-12T12:05:11,961][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] TLS HTTP Provider : null
[2018-12-12T12:05:11,961][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for transport layer : [TLSv1.2, TLSv1.1]
[2018-12-12T12:05:11,962][INFO ][c.f.s.s.DefaultSearchGuardKeyStore] Enabled TLS protocols for HTTP layer : [TLSv1.2, TLSv1.1]
[2018-12-12T12:05:12,249][INFO ][c.f.s.SearchGuardPlugin ] Clustername: elasticsearch
[2018-12-12T12:05:12,261][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [aggs-matrix-stats]
[2018-12-12T12:05:12,262][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [analysis-common]
[2018-12-12T12:05:12,262][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [ingest-common]
[2018-12-12T12:05:12,262][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [lang-expression]
[2018-12-12T12:05:12,263][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [lang-mustache]
[2018-12-12T12:05:12,263][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [lang-painless]
[2018-12-12T12:05:12,263][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [mapper-extras]
[2018-12-12T12:05:12,264][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [parent-join]
[2018-12-12T12:05:12,264][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [percolator]
[2018-12-12T12:05:12,264][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [rank-eval]
[2018-12-12T12:05:12,264][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [reindex]
[2018-12-12T12:05:12,265][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [repository-url]
[2018-12-12T12:05:12,267][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [transport-netty4]
[2018-12-12T12:05:12,268][INFO ][o.e.p.PluginsService ] [YZorJly] loaded module [tribe]
[2018-12-12T12:05:12,278][INFO ][o.e.p.PluginsService ] [YZorJly] loaded plugin [search-guard-6]
[2018-12-12T12:05:15,485][DEBUG][o.e.a.ActionModule ] Using REST wrapper from plugin com.floragunn.searchguard.SearchGuardPlugin
[2018-12-12T12:05:15,549][INFO ][o.e.d.DiscoveryModule ] [YZorJly] using discovery type [single-node]
[2018-12-12T12:05:16,068][INFO ][c.f.s.SearchGuardPlugin ] 0 Search Guard modules loaded so far: []
[2018-12-12T12:05:16,069][INFO ][o.e.n.Node ] initialized
[2018-12-12T12:05:16,070][INFO ][o.e.n.Node ] [YZorJly] starting ...
[2018-12-12T12:05:16,574][INFO ][o.e.t.TransportService ] [YZorJly] publish_address {10.38.5.27:8330}, bound_addresses {[::]:8330}
[2018-12-12T12:05:16,826][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Check if searchguard index exists ...
[2018-12-12T12:05:16,921][INFO ][c.f.s.c.IndexBaseConfigurationRepository] searchguard index does not exist yet, so no need to load config on node startup. Use sgadmin to initialize cluster
[2018-12-12T12:05:16,923][INFO ][o.e.g.GatewayService ] [YZorJly] recovered [0] indices into cluster_state
[2018-12-12T12:05:17,010][INFO ][c.f.s.h.SearchGuardNonSslHttpServerTransport] [YZorJly] publish_address {127.0.0.1:8544}, bound_addresses {[::]:8544}
[2018-12-12T12:05:17,010][INFO ][o.e.n.Node ] [YZorJly] started
[2018-12-12T12:05:46,467][ERROR][c.f.s.a.BackendRegistry ] Not yet initialized (you may need to run sgadmin)
[2018-12-12T12:05:47,602][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] [YZorJly] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[?:?]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615) ~[?:?]
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181-b13]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
Thanks for any help.
-Sundeep
Jithin P S
Dec 12, 2018, 9:07:11 PM12/12/18
to search...@googlegroups.com
The port u specify is for http
Normally sgadmin works in 9300 transport layer only.
Try removing port option nd this may work
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/c17da75a-b348-4798-b90a-1fba21334d05%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages