certificate_unknown for sgadmin.sh
298 views
Skip to first unread message
Vít Listík
Nov 12, 2017, 5:38:31 PM11/12/17
to Search Guard Community Forum
Hello,
I am aware of this example but it is not using OpenSSL https://github.com/floragunncom/search-guard-ssl/blob/master/example-pki-scripts/gen_client_node_cert.sh
I am trying to add some users to .searchguard index with sgadmin.sh
I have changed the demo certificates to domain wildcard certificate.
Https works correctly, but I am not able to generate valid client certificates.
I have also tried to concatenate certs to bundle
openssl genrsa -out admin-es.key 2048
openssl req -new -key admin-es.key -out admin-es.csr
openssl pkcs8 -topk8 -inform pem -in admin-es.key -outform pem -out admin-es.pkcs
openssl x509 -req -in admin-es.csr -CA domain.pem -CAkey domain.key -CAcreateserial -out admin-es.pem -days 1024 -sha256
openssl x509 -noout -subject -in admin-es.full.pem
subject= /C=CZ/ST=Some-State/L=Prague/O=domain/CN=admin
elasticsearch.yml
searchguard.authcz.admin_dn:
- C=CZ,ST=Some-State,L=Prague,O=domain,CN=admin
/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -nhnv -key admin-es.pkcs -icl -cert admin-es.pem -cacert domain.pem -keypass passwhich results in:
SSL Problem Received fatal alert: bad_certificateI have also tried to concatenate certs to bundle
cat admin-es.pem domain.pem > admin-es.full.pem
/usr/share/elasticsearch/plugins/search-guard-5/tools/sgadmin.sh -nhnv -key admin-es.pkcs -icl -cert admin-es.full.pem -cacert domain.pem -keypass pass
which results in
SSL Problem Received fatal alert: certificate_unknownI am aware of this example but it is not using OpenSSL https://github.com/floragunncom/search-guard-ssl/blob/master/example-pki-scripts/gen_client_node_cert.sh
Can you please suggest what am I doing wrong?
SG
Nov 13, 2017, 9:56:07 AM11/13/17
to search...@googlegroups.com
there is also script which use openssl only: https://github.com/floragunncom/search-guard-ssl/blob/master/example-pki-scripts/gen_node_cert_openssl.sh
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dc21edee-412f-4009-80c4-7d576af551a0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/dc21edee-412f-4009-80c4-7d576af551a0%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages