I am trying to setup open distro elasticsearch in docker container using docker-compose file. I am setting it up for my organization, so I am using our own company certificates signed by our internal CA. I have also added the certs in elasticsearch.yml file.
However when I try to run the securityadmin.sh script using my certs, I am getting below error
Open Distro Security Admin v7
Will connect to localhost:9300 … done
10:55:11.720 [elasticsearch[client][transport_worker][T#1]] ERROR com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Do I need add the certs anywhere else? Please suggest if I am missing anything here.
It would help if you provided the complete command line you used that resulted in the error message above. Off the top, I would guess that your CA certificate and your admin certificates don’t match … but having the whole command line would help narrow things down.
thanks for your reply, here is the command that I used which resulted in above error message.
[root@359bb31eda70 config]# /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cacert /usr/share/elasticsearch/config/root-ca.pem -cert /usr/share/elasticsearch/config/node.pem -key /usr/share/elasticsearch/config/sandbox.elk.mydomain.com.key -f /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml -t config
Open Distro Security Admin v7
Will connect to localhost:9300 … done
06:14:26.783 [elasticsearch[client][transport_worker][T#1]] ERROR com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I have converted my node and root CA certificates from .crt to .pem
The reason of using .key file in above command is that I tried to convert my key to .pem and tried using it in above command, but it says “File does not contain valid private key”, hence I tried the .key file and got above error.
@ravis85securityadmin.sh requires an admin certificate to execute administrative commands. The demo admin cert is kirk.pem, which is also defined as the value of the opendistro_security.authcz.admin_dn: in elasticsearch.yml.
If you’d like to replace demo admin cert with your own, then you have to add or replace admin_dn with your custom one. opendistro_security.authcz.admin_dn: is an array and can hold more than one value.
./securityadmin.sh -cd …/securityconfig/ -icl -nhnv -cacert …/…/…/config/root-ca.pem -cert …/…/…/config/admin.pem -key …/…/…/config/admin.key
Open Distro Security Admin v7
Will connect to localhost:9300 … done
15:15:15.637 [elasticsearch[client][transport_worker][T#1]] ERROR com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLNettyTransport - Exception during establishing a SSL connection: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My question is that do I need to add the admin cert to keystore/truststore file to make this work, if yes, then could you please tell me which keystore file I need add the certificate in?
@ravis85 I think your issue is in elasticsearch certificate.
By default securityadmin.sh uses localhost as the default target and will try to connect on the transport layer (ports 9300-9400).
Since you’ve replaced your certificates with custom certs you might forget to add localhost to SAN (Subject Alternative Name) of the node.pem certificate defined in opendistro_security.ssl.transport.pemcert_filepath.
You have two solutions here.
First, if you wish to keep using localhost as a target, you should regenerate the transport certs and add localhost to SAN.
Second, you can use -h option with either IP address or FQDN of the Elasticsearch node. Be sure that either IP address or FQDN are in CN or SAN of the node.pem certificate.