Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel #1085

Closed
yurgers opened this issue Jul 31, 2019 · 3 comments
Closed

[TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel #1085

yurgers opened this issue Jul 31, 2019 · 3 comments
Labels
need:docs

Comments

@yurgers
Copy link

yurgers commented Jul 31, 2019
edited
Loading

Request Type

Question

Work Environment

Question Answer
OS version (server) CentOS
TheHive version / git hash 3.3.1
elasticsearch 7.2.0
Package Type RPM

Problem Description

Good day!
I can not understand how to connect the TheHive to elasticsearch

on elasticsearch get such a mistake:
client did not trust this server's certificate, closing connection Netty4TcpChannel

as I can assume, I am incorrectly adding certificates to TheHive

Steps to Reproduce

  1. Created the certificate.
/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

openssl pkcs12 -in elastic-certificates.p12 -out crt.pem -clcerts -nokeys
openssl pkcs12 -in elastic-certificates.p12 -out key.pem -nocerts -nodes
openssl pkcs12 -in elastic-stack-ca.p12 -out ca.pem -clcerts -nokeys

cp ./*.pem  /etc/elasticsearch/ 
cp ./*.pem  /etc/elasticsearch/
  1. configure elasticsearch
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/key.pem
xpack.security.transport.ssl.certificate: /etc/elasticsearch/crt.pem
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/ca.pem" ]


xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key:  /etc/elasticsearch/key.pem
xpack.security.http.ssl.certificate: /etc/elasticsearch/crt.pem
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/ca.pem" ]
  1. configure TheHive:
search {
  ## Basic configuration
  index = the_hive
  cluster = hive
  host = ["127.0.0.1:9300"]

  ## Advanced configuration

  ### XPack SSL configuration
  username = "admin"
  password = "Passw0rd"
  ssl.enabled = true
  ssl.ca = "/etc/thehive/ca.pem"
  ssl.certificate = "/etc/thehive/crt.pem"
  ssl.key = "/etc/thehive/key.pem"
}

Complementary information

on TheHive get such a mistake:

[2019-07-31T12:37:53,842][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38338}
[2019-07-31T12:37:58,858][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38340}
[2019-07-31T12:38:03,874][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38342}
[2019-07-31T12:38:08,888][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38344}
[2019-07-31T12:38:13,903][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38346}
[2019-07-31T12:38:18,940][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38348}
[2019-07-31T12:38:23,945][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38350}
[2019-07-31T12:38:28,965][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38352}
[2019-07-31T12:38:33,987][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38354}
[2019-07-31T12:38:39,004][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38356}
[2019-07-31T12:38:44,021][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38358}
[2019-07-31T12:38:49,045][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38360}
[2019-07-31T12:38:54,061][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38362}
[2019-07-31T12:38:59,087][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [TheHive] client did not trust this server's certificate, closing connection Netty4TcpChannel{localAddress=0.0.0.0/0.0.0.0:9300, remoteAddress=/127.0.0.1:38364}

on TheHive get such a mistake:

2019-07-31 05:37:08,678 [WARN] from org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport in elasticsearch[_client_][transport_client_boss][T#2] - write and flush on the network layer failed (channel: [id: 0x8b5a5184, L:/127.0.0.1:38320 - R:/127.0.0.1:9300])
javax.net.ssl.SSLException: SSLEngine closed already
        at io.netty.handler.ssl.SslHandler.wrap(...)(Unknown Source)
2019-07-31 05:37:08,679 [WARN] from org.elasticsearch.xpack.security.transport.netty4.SecurityNetty4Transport in elasticsearch[_client_][transport_client_boss][T#2] - exception caught on transport layer [[id: 0x8b5a5184, L:/127.0.0.1:38320 ! R:/127.0.0.1:9300]], closing connection
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: No subject alternative names present
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
        at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names present
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263)
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:641)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:460)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360)
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1048)
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:995)
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1295)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1208)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
        ... 15 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative names present
        at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:137)
        at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
        at org.elasticsearch.xpack.ssl.SSLService$ReloadableTrustManager.checkServerTrusted(SSLService.java:552)
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:619)
        ... 27 common frames omitted

test Transport:
openssl s_client -connect 127.0.0.1:9300 -CAfile /etc/thehive/ca.pem

openssl s_client -connect 127.0.0.1:9300 -CAfile  /etc/thehive/ca.pem
CONNECTED(00000003)
depth=1 CN = Elastic Certificate Tool Autogenerated CA
verify return:1
depth=0 CN = instance
verify return:1
---
Certificate chain
 0 s:/CN=instance
   i:/CN=Elastic Certificate Tool Autogenerated CA
 1 s:/CN=Elastic Certificate Tool Autogenerated CA
   i:/CN=Elastic Certificate Tool Autogenerated CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDIjCCAgqgAwIBAgIUQnnndjuzcoPJMxSuZhqrheG83D4wDQYJKoZIhvcNAQEL
BQAwNDEyMDAGA1UEAxMpRWxhc3RpYyBDZXJ0aWZpY2F0ZSBUb29sIEF1dG9nZW5l
cmF0ZWQgQ0EwHhcNMTkwNzMwMTQyNTI1WhcNMjIwNzI5MTQyNTI1WjATMREwDwYD
VQQDEwhpbnN0YW5jZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJOh
UjLKMgFNIQU4b3KhfEieklHRDGvKEsGvWWABf4FXA9usc7kJnTas7qB4i+CerTl6
Uu/hWWHATPd8UB+taexC+x1svV5Atq8Bha33qLin5dYdr3psBUc2MiQGGQa1DSWD
+Az87G8CRWk/PDHvInLzpcumau23t+u3z+3ioRkewNWBUNfsDMMVmqQcv2MeqOsX
05eD8XpCRNrTz42ecjDOHo3RqdQLPNhKlGKRZmf4xltMvACRfPlMbfQninaHMiwb
WFrT0nRM2BsjxAT32yAQZQCt1CBqsFYilll9CCLv/c0OKonB7PN+uIGyoc9nPtuX
b1mWzZiX+s4U2VMtHz0CAwEAAaNNMEswHQYDVR0OBBYEFEe+WVcpeqqfWNZ5vbTs
exLhm24GMB8GA1UdIwQYMBaAFGQ9+MWSh+RryMDWMh1x1oulia5rMAkGA1UdEwQC
MAAwDQYJKoZIhvcNAQELBQADggEBACbwVbnQ0QqyiZcX3cryAhtP6BRJN8qrDi5t
+92bZwvHo0BE8smYt4qx7CTQarFq63EegLRIIxjVgYnZC0yi72mTQ9hrKXmGU0pq
1S38+9BGz+b3O4m48GBrr90O8rvcwuW934BlMpsdnFiij1Umrdoj8Y4x9XfXtNqk
13z7vv2pXYx7d5IS+FjhLdBQpOJDPke+Smnf+71i1h445XZJb3hW2BrhGp5RjpAa
nJbvVY9nVSGJKqtKJtyOvZyDHX2Fkapv/kjO8KLOP6WhtBoupRlxiAbVIb9IwnFQ
i2jOghbi/S/K0kk5xHHgyOARz9iHW+ogz/NC8hUe6cSBcRB7358=
-----END CERTIFICATE-----
subject=/CN=instance
issuer=/CN=Elastic Certificate Tool Autogenerated CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2139 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: C55F2B21DDDF4D9EABB25DEB26C4EF1FEC18E3608C37229E1E9472CBC2D4824A
    Session-ID-ctx:
    Master-Key: 0423C9D2116CFD18CC55EAA9A9D105158CBAB3116749AB5FD9A7A322073634C5699A67D2791A82A675C530EF1A8B3DE9
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1564577877
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
@ITServ-DE
Copy link

ITServ-DE commented Aug 1, 2019
edited
Loading

Well, all your logs look good to me, and I cannot tell you what's wrong.

Quick experiment: use ES port 9200 instead of 9300.

search {
  ## Basic configuration
  index = the_hive
  cluster = hive
  host = ["127.0.0.1:9200"]
  ## Advanced configuration

  ### XPack SSL configuration
  username = "admin"
  password = "Passw0rd"
  ssl.enabled = true
  ssl.ca = "/etc/thehive/ca.pem"
  ssl.certificate = "/etc/thehive/crt.pem"
  ssl.key = "/etc/thehive/key.pem"
}

Just a hint: If I were you I would now double-check the ElasticSearch port number used. There seem to be two different ports, one for HTTP transport and one for a binary connection or so. I never understood completely. And it depends if you use ES5 or ES6, I think. And it also depends on TheHive's version. Make sure you use the correct port number, and reread the docs.

Again, it's just a vague idea ...

Good luck!

I know it's somewhat unprofessional: you run TH and ES on the same host. Why use TLS? The data never leaves your host, so I see no need to encrypt it. Moreover, encryption creates CPU load you could avoid.

@yurgers
Copy link
Author

yurgers commented Aug 1, 2019
edited
Loading

hi

Quick experiment: use ES port 9200 instead of 9300.

the documentation States

TheHive uses the transport port (9300/tcp by default) and not the http port (9200/tcp).

I know it's somewhat unprofessional: you run TH and ES on the same host. Why use TLS? The data never leaves your host, so I see no need to encrypt it. Moreover, encryption creates CPU load you could avoid

if you do not include TLS, I get an error Group ownership in Docker image prevents running on OpenShift #307

java.lang.IllegalStateException: Received message from unsupported version: [5.6.0] minimal compatible version is: [7.0.0]

at the moment I think that I use too new elasticsearch

@To-om
Copy link
Contributor

To-om commented Apr 6, 2020

xpack is not supported anymore. If you want to add security to your ES connection, you can update your configuration file with this:

search {
  [...]
  ## Authentication configuration
  #search.username = ""
  #search.password = ""

  ## SSL configuration
  #search.keyStore {
  #  path = "/path/to/keystore"
  #  type = "JKS" # or PKCS12
  #  password = "keystore-password"
  #}
  #search.trustStore {
  #  path = "/path/to/trustStore"
  #  type = "JKS"
  #  password = "trustStore-password"
  #}
}

@To-om To-om closed this as completed Apr 6, 2020
@To-om To-om added the need:docs label Apr 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
need:docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@To-om @yurgers @ITServ-DE