0

I'm running opendistro for elasticsearch(v1.0.2) in kubernetes. I've initialized elasticsearch with my own self-signed certificates.

elasticsearch.yml:

opendistro_security.ssl.transport.pemcert_filepath: certs/node.pem
opendistro_security.ssl.transport.pemkey_filepath: certs/node-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: certs/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false

opendistro_security.ssl.http.enabled: ${SSL_ENABLE} ## <--- true
opendistro_security.ssl.http.pemcert_filepath: certs/client.pem
opendistro_security.ssl.http.pemkey_filepath: certs/client-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: certs/root-ca.pem
opendistro_security.allow_default_init_securityindex: true

I generated those certificates using go "crypto/<>" packages in pkcs8 format.

client-key.pem:

-----BEGIN PRIVATE KEY-----
.....5UTLoSD7oYA8gOMBf2qkySSL.....
-----END PRIVATE KEY-----

client.pem:

-----BEGIN CERTIFICATE-----
.....lXt7yTNrpY0WfGJmGxzy...
-----END CERTIFICATE-----

Thus the elasticsearch successfully initialized:

[2020-07-25T06:55:01,565][INFO ][c.a.o.s.c.ConfigurationRepository] [elasticsearch-datgp5-0] Node 'elasticsearch-datgp5-0' initialized

$ curl -XGET "https://localhost:9200/_cluster/health?pretty" -u "admin:XXXX" --insecure
{
  "cluster_name" : "topology-es",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 1,
  "active_shards" : 1,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

But when I try the same thing with go-client in --insecure mode the following error occurs:

[2020-07-25T06:55:28,653][ERROR][c.a.o.s.s.h.n.OpenDistroSecuritySSLNettyHttpServerTransport] [elasticsearch-datgp5-0] SSL Problem pre_shared_key key extension is offered without a psk_key_exchange_modes extension javax.net.ssl.SSLHandshakeException: pre_shared_key key extension is offered without a psk_key_exchange_modes extension

How I create go-client:

// esv7 "github.com/olivere/elastic/v7"

client, err := esv7.NewClient(
            esv7.SetHttpClient(&http.Client{
                Timeout: 0,
                Transport: &http.Transport{
                    TLSClientConfig: &tls.Config{
                        InsecureSkipVerify: true,
                    },
                },
            }),
            esv7.SetBasicAuth(string(secret.Data[KeyAdminUserName]), string(secret.Data[KeyAdminPassword])),
            esv7.SetURL(url),
            esv7.SetHealthcheck(false),
            esv7.SetSniff(false),
        )
        if err != nil {
            return nil, err
        }
  • What is the meaning of this error? how to fix it?
  • Any idea, what am I doing wrong? how to debug?
Kamol Hasan
  • 12,218
  • 1
  • 37
  • 46
  • [Configure your elastic search instance](https://www.elastic.co/guide/en/elasticsearch/reference/master/jvm-options.html) to run with java.net debugging. Add `-Djavax.net.debug=all` to JVM options. Please add to your question the output lines marked with `java.net.ssl` – Pak Uula Jul 29 '20 at 05:35
  • Please, add your Golang version as well. It looks like your Go code breaks TLS 1.3 specification. The spec demands that pre_shared_key must be accompanied with psk_key_exchange_modes. The Plan B is to disable TLS 1.3 in JVM: `-Djdk.tls.server.protocols=TLSv1.2` – Pak Uula Jul 29 '20 at 05:51
  • @PakUula Thanks. I've solved the issue. It seems like a JDK bug: https://bugs.openjdk.java.net/browse/JDK-8210334 – Kamol Hasan Jul 29 '20 at 06:42

0 Answers0