Front end SSL encryption - certificate unknown errors

JimP · May 18, 2022, 11:11pm

Hello,

I’ve followed the SSL encryption configuration information and I am still having issues. I have a GUI which needs to connect to the External API. I am using ROR 1.35 free with ELK stack 7.11.1 on a Windows 2016 server.

What I have done/tried:

Added http.type: ssl_netty4 to the elasticsearch.yml file.
Created the ssl: section with a keystore and truststore for the readonlyrest.yml file.
Set client_authentication: true
Allow requests from listed machines using hosts (GUI machine is on the list.)
Added the GUI certificate to the truststore, the keystore, the Java cacerts truststore, and the machine certificate store (Trusted Root Certification Authorities, and under personal)

All nodes are running ROR 1.35 however only this node is being set up for SSL connections (External API only). I’ll also need to connect a Kibana instance to this after I figure out the GUI issue.

Any ideas, or things to try I might have missed?

Thanks!

Jim

sscarduzio · May 19, 2022, 7:50am

Hi @JimP, can you show us the resulting YAML?

JimP · May 19, 2022, 12:44pm

Hey, here is the readonlyrest yaml: I do have xpack security set for false in the elastic yaml.

readonlyrest:
#optional
response_if_req_forbidden: This request has been refused because it originated from an unknown or untrusted source.

ssl:
  keystore_file: "key.jks"
  keystore_pass: pass
  key_pass: pass
  truststore_file: "trust.jks"
  truststore_pass: pass
  client_authentication: true

access_control_rules:

- name: known-es-server-list
  hosts: ["xx.xx.xx.xx", "xx.xx.xx.xx"]
  verbosity: error

- name: gui
  x_forwarded_for: ["xx.xx.xx.xx"]
  actions: ["indices:data/read/*","indices:admin/aliases/get"]
  indices: ["*"]
  verbosity: error

- name: test
  x_forwarded_for: ["xx.xx.xx.xx"]
  indices: ["*"]
  verbosity: error

- name: Kibana
  type: allow
  auth_key: kibana:pass

- name: "::user::"
  auth_key: user:pass
  kibana_access: admin
  verbosity: error

sscarduzio · May 19, 2022, 12:58pm

Seems fine, what is the error on the client side? Any SSL debug information available when the connection fails?

JimP · May 19, 2022, 1:44pm

Logs don’t help much = net::ERR_CERT_AUTHORITY_INVALID

Not using a self signed certificate. Going back to double check if there are any issues with the certificate.

Thanks for verifying YAML.

JimP · May 31, 2022, 6:38pm

Just a quick question, is the SSL connection to the readonlyrest over elasticsearch instance a one-to-one connection? Do you know if windows certificate trusts interfere with the connection?

Thanks.

sscarduzio · May 31, 2022, 7:05pm

Ok, ERR_CERT_AUTHORITY_INVALID is a specific error.

Elasticsearch is a Java application, maybe the Java certification authority list needs to be updated? By the way, ES ships with its own platform dependant “jdk” directory.

JimP · May 31, 2022, 7:13pm

Thanks. I am actually using the jdk shipped with ES. I’ll check the Java cert authority list.

Sorry for any silly questions, still learning SSl stuff, never had to deal with it before.

sscarduzio · June 1, 2022, 2:51pm

No problem, SSL is a valley of nails, and nobody is wearing shoes.