Is it possible to configure elasticsearch/search guard to not make curl try to look for NSS certs?

[Steve Haertel]

With my elasticsearch (with search guard) running, I'm trying to actually query something using my certificate.

[root@hostname scripts]# curl -vk --cacert /path/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values

* About to connect() to hostname.domain port 9201 (#0)

*   Trying 9.21.63.21...

* Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)

* Initializing NSS with certpath: sql:/etc/pki/nssdb

* skipping SSL peer certificate verification

* NSS: client certificate not found (nickname not specified)

* NSS error -12271 (SSL_ERROR_BAD_CERT_ALERT)

* SSL peer cannot verify your certificate.

* Closing connection 0

curl: (58) NSS: client certificate not found (nickname not specified)

[root@hostname scripts]# curl -V

curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC zlib/1.2.7 libidn/1.28 libssh2/1.4.3

Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp

Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

But it seems that it's trying to use the NSS database for certificate/key info. I don't touch the NSS database, and I don't want it to do this, and other things that I use curl on for this host don't have this problem. Is this an elasticsearch configuration that I can change?

[SG]

I have no experience with NSS, we recommend to use a curl binary compiled against openssl instead of NSS.
Thats nothing Search Guard can change or influence. You can also try wget or HTTPie instead of curl.

See also:
https://github.com/floragunncom/search-guard/issues/272
https://groups.google.com/forum/#!searchin/search-guard/nss$20curl%7Csort:relevance


> Am 13.07.2017 um 19:42 schrieb Steve Haertel <steveh...@gmail.com>:
>
> My elasticsearch openssl config was "false", so I restarted it and set it to "true"
>
> Now I get ...
>
> [root@stevew scripts]# curl -v -cacert /PATH/cacert.pem -XGET https://hostname.domain:9201/_cluster/health?otherstuff=values
> * <url> malformed
> * Closing connection -1
> curl: (3) <url> malformed

> * About to connect() to hostname.domain port 9201 (#0)
> * Trying 9.21.63.21...
> * Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb

> * CAfile: /etc/pki/tls/certs/ca-bundle.crt
> CApath: none
> * Server certificate:
> * subject: CN=*.SCRUBBED_DOMAIN,O=ORG,C=CA
> * start date: Jul 12 17:36:22 2017 GMT
> * expire date: Jul 11 17:36:22 2020 GMT
> * common name: *.SCRUBBED_DOMAIN
> * issuer: CN=SCRUBBED_ISSUER (SHA256),O=ORG,C=CA
> * NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
> * Peer's Certificate issuer is not recognized.
> * Closing connection 0
> curl: (60) Peer's Certificate issuer is not recognized.
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> It's telling me to use the insecure option, but I'm trying to figure out a way to get it to accept the cert... do I have to add to that NSS bundle?
>
> --
> You received this message because you are subscribed to the Google Groups "Search Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f199fd0-025f-4278-bc6d-0964959028d3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Steve Haertel]

Thanks very much. I'm re-doing my curl/openssl as we speak.

[Steve Haertel]

I must be getting closer... The handshake is happening and finishing...

[root@stevew tmp]# curl -v --cacert /PATH/cacert.pem https://hostname.domain:9201/_cluster/health?otherstuff=values

*   Trying XXX.XXX.XXX.XXX...

* TCP_NODELAY set

* Connected to hostname.domain (XXX.XXX.XXX.XXX) port 9201 (#0)

* ALPN, offering http/1.1

* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH

* successfully set certificate verify locations:

*   CAfile: /PATH/cacert.pem

  CApath: none

* TLSv1.2 (OUT), TLS header, Certificate Status (22):

* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS handshake, Certificate (11):

* TLSv1.2 (IN), TLS handshake, Server key exchange (12):

* TLSv1.2 (IN), TLS handshake, Request CERT (13):

* TLSv1.2 (IN), TLS handshake, Server finished (14):

* TLSv1.2 (OUT), TLS handshake, Certificate (11):

* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

* TLSv1.2 (OUT), TLS change cipher, Client hello (1):

* TLSv1.2 (OUT), TLS handshake, Finished (20):

* TLSv1.2 (IN), TLS alert, Server hello (2):

* error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

* Closing connection 0

curl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

[Steve Haertel]

SOLVED!

I got my curl calls working to my elasticsearch.

I had to generate a p12 file from my keystore, and THEN extract a .key/cert.pem pair, and then use --key and --cert on the curl command with those 2 files, instead of using the --cacert option with my cacert.pem file!

[Search Guard]

thx for sharing this