diskover-community icon indicating copy to clipboard operation
diskover-community copied to clipboard

Published 20 hours ago verified publisher icon diskoverdata

Error: SSL certificate problem: self signed certificate in certificate chain

Open Moireabh opened this issue 2 years ago • 5 comments

Is there a const available to accept a SSC in the Constants.php?

My ES cluster uses encryption between the data channels.

Cert is generated via https://www.elastic.co/guide/en/elasticsearch/reference/current/certutil.html

Thanks

image

Moireabh avatar Sep 02 '22 12:09 Moireabh

I have use this to input data into the ingest node via metricbeat and alike....

Configure SSL verification mode. If none is configured, all server hosts and certificates will be accepted. In this mode, SSL based connections are susceptible to man-in-the-middle attacks. Use only for testing. Default is full.

ssl.verification_mode: none

Moireabh avatar Sep 02 '22 12:09 Moireabh

What OS? Did you add the self signed cert. to the trusted cert. store on the client machine connecting to ES? https://www.devdungeon.com/content/how-add-trusted-ca-certificate-centosfedora

shirosaidev avatar Sep 02 '22 18:09 shirosaidev

yes thanks, that worked.... But the cert was generated by elastic's tool, certgen... Make sure you created your ES cluster certs with SANs and CN, otherwise the default is without CN/DN/SAN as a blank cert you will still get issues with the ES internal Cert for use on the data ports of 9200.

Error: SSL: certificate subject name 'instance' does not match target host name

otherwise it will work adding it to the OS PKI cert store.

No idea how common this is, but might be good to have maybe SSL verification = none / ignore when it comes to certs futurewise. otherwise this is good as a workaround.

Moireabh avatar Sep 02 '22 21:09 Moireabh

X509v3 Subject Alternative Name: Ive add all the IP addresses to this cert and DNS names too... I can not add a CN to the elastic transport SSL certs.

Unable to connect to Elasticsearch host xx.xx.xx.xx:9200. Error: SSL: certificate subject name 'instance' does not match target host name 'xx.xx.xx.xx'

I can not chage the instance, but only on the CA cert with certutil from ES. When signing the client cert with this CA, it still comes out as:

   Validity
        Not Before: Sep  6 16:33:58 2022 GMT
        Not After : Sep  5 16:33:58 2025 GMT
    Subject: CN=instance
    Subject Public Key Info:

X509v3 Subject Alternative Name: IP Address:xx.xx.xx.xx, IP Address:xx.xx.xx.xx, DNS:xxxxxxx.xx.xx

Moireabh avatar Sep 07 '22 12:09 Moireabh

openssl s_client -showcerts -connect hostname:9200

Server certificate subject=CN = instance

issuer=CN = Elastic Certificate Tool Autogenerated CA

No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits

SSL handshake has read 2190 bytes and written 398 bytes Verification: OK

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok)

Moireabh avatar Sep 07 '22 13:09 Moireabh

@LordBonkerz there is a new setting in 2.0.5 to not verify ssl

shirosaidev avatar Oct 21 '22 19:10 shirosaidev