search

TheHive-Project / Cortex

Cortex: a Powerful Observable Analysis and Active Response Engine
https://thehive-project.org
GNU Affero General Public License v3.0
1.28k stars 218 forks source link

Cortex with Elasticsearch SSL #373

Open V1D1AN opened 3 years ago

V1D1AN commented 3 years ago

Cortex with Elasticsearch SSL

Request Type

Bug

Work Environment

Question Answer
OS version (server) Cortex 3.1.1-1
OS version (client) W10
Package Type Docker

Problem Description

In the documentation, i follow the configuration of Elasticsearch with SSL X-PACK but it don't work for me.

Extract of application.conf for cortex:

  ## Authentication configuration
  user = "elastic"
  password = "password"
  ssl.enabled = true
  ssl.ca = "/opt/cortex/certificates/ca/ca.crt"

Extract of my docker-compose:

  cortex:
    image: 'cortex:3.1.1-1'
    container_name: cortex
    hostname: cortex
    restart: always
    volumes:
      - ./cortex/application.conf:/etc/cortex/application.conf:ro
      - certs:/opt/cortex/certificates
    networks:
      - s1em
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.cortex.rule=PathPrefix(`/cortex`)"
      - "traefik.http.routers.cortex.entryPoints=secure"
      - "traefik.http.routers.cortex.tls=true"

I have this error:

com.sksamuel.elastic4s.http.JavaClientExceptionWrapper: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.sksamuel.elastic4s.http.JavaClient$$anon$1.onFailure(JavaClient.scala:69)
        at org.elasticsearch.client.RestClient$FailureTrackingResponseListener.onDefinitiveFailure(RestClient.java:617)
        at org.elasticsearch.client.RestClient$1.failed(RestClient.java:375)
        at org.apache.http.concurrent.BasicFuture.failed(BasicFuture.java:137)
        at org.apache.http.impl.nio.client.DefaultClientExchangeHandlerImpl.executionFailed(DefaultClientExchangeHandlerImpl.java:101)
        at org.apache.http.impl.nio.client.AbstractClientExchangeHandler.failed(AbstractClientExchangeHandler.java:426)
        at org.apache.http.nio.protocol.HttpAsyncRequestExecutor.exception(HttpAsyncRequestExecutor.java:163)
        at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:76)
        at org.apache.http.impl.nio.client.InternalIODispatch.onException(InternalIODispatch.java:39)
        at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:125)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
        at sun.security.validator.Validator.validate(Validator.java:271)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:451)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
        at sun.security.validator.Validator.validate(Validator.java:271)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)

For working, I must do:

docker exec -ti cortex keytool -import -alias ca -file /opt/cortex/certificates/ca/ca.crt -keystore /usr/local/openjdk-8/jre/lib/security/cacerts

Question; What is the good configuration for configuring the CA certificate without doing the docker exec

Please

chberti commented 3 years ago

Hello,

From my experience, my application.conf file mounted on Cortex Container uses these parameters : 

search {
  index = your_cortex_index
  uri = "https://node1:9200,node2:9200"
  user = you_cortex_user
  password = your_cortex_user_password
  keyStore {
    path = "/path/to/keystore_file"
    type = "keystore_type" # JKS or PKCS12
    password = "keystore_password"
  }
  trustStore {
    path = "/path/to/truststore_file"
    type = "truststore_type" # JKS or PKCS12
    password = "truststore_password"
  }
}

As you can see, I had to use both trustStore AND keyStore to make Cortex reach ES with SSL. My keystore is empty but I had to configure it so that Cortex uses the trustStore (which contains ES nodes certificates and the CA). If you never used those before, maybe this should help : https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html

Hope that helps :)

robomotic commented 2 years ago

Interesting I have a similar problem and will try your approach.