SSL Problem Received fatal alert: certificate_unknown

[easy shop]

Hello,

ELK_Version: 6.4.2 

using docker

install

bin/elasticsearch-plugin install -b com.floragunn:search-guard-6:6.4.2-23.2

bin/kibana-plugin install https://search.maven.org/remotecontent?filepath=com/floragunn/search-guard-kibana-plugin/6.4.2-16/search-guard-kibana-plugin-6.4.2-16.zip

execute sgadmin:

-> Execute sgadmin.sh



WARNING: JAVA_HOME not set, will use /usr/bin/java

Search Guard Admin v6

Will connect to localhost:9300 ... done

Elasticsearch Version: 6.4.2

Search Guard Version: 6.4.2-23.2

Connected as CN=testing.test.com

Contacting elasticsearch cluster 'test-ads' and wait for YELLOW clusterstate ...

Clustername: test-ads

Clusterstate: GREEN

Number of nodes: 1

Number of data nodes: 1

searchguard index does not exists, attempt to create it ... done (0-all replicas)

Populate config from /opt/elasticsearch/plugins/search-guard-6/sgconfig

Will update 'sg/config' with ../sgconfig/sg_config.yml

   SUCC: Configuration for 'config' created or updated

Will update 'sg/roles' with ../sgconfig/sg_roles.yml

   SUCC: Configuration for 'roles' created or updated

Will update 'sg/rolesmapping' with ../sgconfig/sg_roles_mapping.yml

   SUCC: Configuration for 'rolesmapping' created or updated

Will update 'sg/internalusers' with ../sgconfig/sg_internal_users.yml

   SUCC: Configuration for 'internalusers' created or updated

Will update 'sg/actiongroups' with ../sgconfig/sg_action_groups.yml

   SUCC: Configuration for 'actiongroups' created or updated


Done with success

elasticsearch.yml:

cluster.name: test-ads
node.name: es-test
network.host: 127.0.0.1
searchguard.ssl.transport.pemcert_filepath: nodecert1.pem
searchguard.ssl.transport.pemkey_filepath: nodeprivkey1.pem
searchguard.ssl.transport.pemtrustedcas_filepath: nodefullchain1.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: cert1.pem
searchguard.ssl.http.pemkey_filepath: privkey1.pem
searchguard.ssl.http.pemtrustedcas_filepath: fullchain1.pem
searchguard.nodes_dn:
- CN=localhost,O=Let's Encrypt,C=US
searchguard.authcz.admin_dn:
- "CN=testing.test.com"
- "CN=*.test.com"
xpack.security.enabled: false

kibana.yml:

elasticsearch.url: "https://localhost:9200"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
searchguard.auth.type: "basicauth"
elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant", "testing"]
elasticsearch.ssl.verificationMode: none
xpack.security.enabled: false

when tray  connect: 

curl -k https://admin:ad...@testing.test.com:9200/

curl: (7) Failed to connect to testing.test.com port 9200: Connection refused

when i restart elasticsearch and kibana:

[2018-11-30T08:42:16,349][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-test] SSL Problem Received fatal alert: certificate_unknown



javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

 at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]

 at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]

 at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_181]

 at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:281) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]

 at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]

 at java.lang.Thread.run(Thread.java:748) [?:1.8.0_181]

[2018-11-30T08:42:16,786][INFO ][o.e.n.Node               ] [es-test] stopping ...

[2018-11-30T08:42:16,793][INFO ][c.f.s.a.s.SinkProvider   ] Closing DebugSink

[2018-11-30T08:42:16,816][INFO ][o.e.x.w.WatcherService   ] [es-test] stopping watch service, reason [shutdown initiated]

* Installed and used enterprise modules, if any

* JVM version and operating system version

* Search Guard configuration files

* Elasticsearch log messages on debug level

* Other installed Elasticsearch or Kibana plugins, if any

[Search Guard]

Can you please run

curl -k -vv -u admin:admin https://testing.test.com:9200/

and post the results. I think this is just a connectivity issue and there is nothing listening on testing.test.com:9200
This is likely because of "network.host: 127.0.0.1". Change this to  "network.host: 0.0.0.0" or "network.host: testing.test.com"

[easy shop]

when I run curl -k -vv -u admin:admin https://testing.test.com:9200/

*   Trying 172.104.151.158...
* TCP_NODELAY set
* connect to 172.104.151.158 port 9200 failed: Connection refused
* Failed to connect to testing.test.com port 9200: Connection refused
* Closing connection 0

curl: (7) Failed to connect totesting.test.com port 9200: Connection refused

Hello,

curl -k https://admin:admin@testing.test.com:9200/

[easy shop]

now work when i run curl -k -vv -u admin:admin https://testing.test.com:9200/


but I get new error for logstash and elasticsearch:

elasticsearch log:

[2018-12-21T10:17:12,556][ERROR][c.f.s.h.SearchGuardHttpServerTransport] [es-index] SSL Problem Received fatal alert: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

logstash log:

[2018-12-21T10:17:57,759][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://admin:xxxxxx@localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://admin:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

Dana petak, 30. studenoga 2018. u 10:31:01 UTC+1, korisnik easy shop napisao je:

Hello,

curl -k https://admin:admin@testing.test.com:9200/

[SG]

i guess you are missing something like
elasticsearch.ssl.certificateAuthorities: "/path/to/your/root-ca.pem"
in your kibana.yml

See https://docs.search-guard.com/latest/kibana-plugin-installation#configuring-the-root-ca

> curl -k https://admin:ad...@testing.test.com:9200/

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d23bda2d-5ebe-4ef0-927d-37cf4f6595ee%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.