Hi,
I have my admin certificate DN configured as follows.
searchguard.authcz.admin_dn:
- CN=vf-zr125-sm100.dr.avaya.com,O=Avaya,C=US
When I try to initialize the SG, I get the following exception.
[2017-10-15T01:36:02,763][ERROR][c.f.s.t.SearchGuardRequestHandler] Error authentication transport user ElasticsearchSecurityException[java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: ExecutionException[java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com]; nested: Exception[no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com];
org.elasticsearch.ElasticsearchSecurityException: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:298) ~[search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.transport.SearchGuardRequestHandler.messageReceivedDecorate(SearchGuardRequestHandler.java:168) [search-guard-5-5.5.1-16.jar:?]
at com.floragunn.searchguard.ssl.transport.SearchGuardSSLRequestHandler.messageReceived(SearchGuardSSLRequestHandler.java:140) [search-guard-ssl-5.5.1-23.jar:5.5.1-23]
at com.floragunn.searchguard.SearchGuardPlugin$3$1.messageReceived(SearchGuardPlugin.java:376) [search-guard-5-5.5.1-16.jar:?]
at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:69) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport$RequestHandler.doRun(TcpTransport.java:1544) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.common.util.concurrent.EsExecutors$1.execute(EsExecutors.java:110) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.handleRequest(TcpTransport.java:1501) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.TcpTransport.messageReceived(TcpTransport.java:1385) [elasticsearch-5.5.1.jar:5.5.1]
at org.elasticsearch.transport.netty4.Netty4MessageChannelHandler.channelRead(Netty4MessageChannelHandler.java:74) [transport-netty4-client-5.5.1.jar:5.5.1]
:
:
:
Caused by: java.util.concurrent.ExecutionException: java.lang.Exception: no such user C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
at com.google.common.util.concurrent.AbstractFuture.getDoneValue(AbstractFuture.java:476) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:435) ~[?:?]
at com.google.common.util.concurrent.AbstractFuture$TrustedFuture.get(AbstractFuture.java:79) ~[?:?]
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:143) ~[?:?]
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2352) ~[?:?]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2324) ~[?:?]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2286) ~[?:?]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2201) ~[?:?]
at com.google.common.cache.LocalCache.get(LocalCache.java:3953) ~[?:?]
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4790) ~[?:?]
at com.floragunn.searchguard.auth.BackendRegistry.authenticate(BackendRegistry.java:272) ~[?:?]
... 43 more
If I change the admin DN configuration as below in the reverse order it works.
searchguard.authcz.admin_dn:
- C=US,O=Avaya,CN=vf-zr125-sm100.dr.avaya.com
I don't understand what is happening here.
If I fetch if from certificate I get in the order with CN at the beginning.
Then why is SG expecting the DN in the reverse order.
Also in the page here, the example show the admin certificate DN starting with CN.
Then why is it not working for me.