SSL enabling and certificate verification

alxArad · April 13, 2018, 4:23pm

Hi,

I encounter problems with enabling SSL on readonlyrest which force me to disable certificate verification on all clients (like kibana, logstash etc).
I receive this error:

       elasticsearch_1  | io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    elasticsearch_1  | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:459) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.13.Final.jar:4.1.13.Final]
    elasticsearch_1  | 	at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]
    elasticsearch_1  | Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
    elasticsearch_1  | 	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:?]
    elasticsearch_1  | 	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[?:?]
    elasticsearch_1  | 	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[?:?]
    elasticsearch_1  | 	at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800) ~[?:?]
    elasticsearch_1  | 	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083) ~[?:?]
    elasticsearch_1  | 	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907) ~[?:?]
    elasticsearch_1  | 	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781) ~[?:?]
    elasticsearch_1  | 	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.8.0_151]
    elasticsearch_1  | 	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:255) ~[?:?]
    elasticsearch_1  | 	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1162) ~[?:?]
    elasticsearch_1  | 	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1084) ~[?:?]
    elasticsearch_1  | 	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[?:?]
    elasticsearch_1  | 	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[?:?]
    elasticsearch_1  | 	... 15 more

I created a self-signed certificate (cacert.pem, servercert.pem, serverkey.pem). I “added” this certificate to a keystore.jks like in the accepted answer from here: Create java keystore from private key and CA certificate bundle - Stack Overflow

I specified the path to the keystore.jks in the readonlyrest.yml, I set http_type in elasticsearch.yml and set these to the kibana.yml:

elasticsearch.ssl.certificate: /usr/share/kibana/cert/servercert.pem
elasticsearch.ssl.key: /usr/share/kibana/cert/serverkey.pem
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/kibana/cert/cacert.pem" ]

What I’m doing wrong?

sscarduzio · April 16, 2018, 10:24am

Have you checked this? java - SSL HandShake exception - Stack Overflow

atangde18 · May 19, 2020, 12:45pm

Hi @sscarduzio, can I use keystore.jks which is keystore file generated using keytool, in readonlyrest.yml file’s “ssl.keystore_file” field?

sscarduzio · May 19, 2020, 1:06pm

You can generate it how you want, as long as it’s in java keystore format. The same format is used in Tomcat, Wildfly, etc.

atangde18 · May 19, 2020, 1:21pm

One more thing, I tried to access elastic search API in postman using ssl certificate/keystore.jks but I am not getting any response. After I start elastic search, console shows that cluster is started, so I think there is no problem at starting the elastic search using SSL-ROR

sscarduzio · May 19, 2020, 2:28pm

No errors? Do you have curl? If yes, can you try curl -vvv -k https://ES_HOST:9200