Closed andres-tw closed 2 years ago
thanks for this report @andres-tw , this will be fixed in 4.1.19
@andres-tw create a configuration file input.conf
containing:
search.trustStore.path=/etc/thehive/es.jks
search.trustStore.type=JKS
Then add the parameter --input /path/to/input.conf
to the migration tool.
@To-om Ah yes, sorry forgot to include the hive3 config. For all tests it's been configured as follows:
play.http.secret.key = "xxxx"
search {
index = "the_hive"
# NB! There is currently no way to disable hostname verification for TLS connections to Elastic
uri = "https://instance:9200"
nbreplicas = 1
nbshards = 10
user = "thehive"
password = "xxxxx"
# For SSL to work with ES, both trustStore and keyStore need to be defined
search.trustStore {
path = "/etc/thehive/es.jks"
type = "JKS"
password = "xxxx"
}
search.keyStore {
path = "/etc/thehive/es.jks"
type = "JKS"
password = "xxxx"
}
}
cluster {
name = "xxxxx"
}
auth {
provider = [local]
}
session {
warning = 5m
inactivity = 1h
}
# Max textual content length
play.http.parser.maxMemoryBuffer= 10M
# Max file size
play.http.parser.maxDiskBuffer = 1G
Tested now again, with only the trustStore configuration like in your example.
@To-om Anything else I can test or your working on it?
You can now configure http client by adding wsConfig
section in search
. You can find available settings in the documentation here and here. If you want to disable SSL certificate verification you can set:
search {
index = "the_hive"
uri = "https://instance:9200"
wsConfig.ssl.loose.acceptAnyCertificate = true
So the new config option did not help. Fails with the same error message on both 4.19.1-1 and 5.0.2 docker images. Tried adding that config option both together with a truststore and without. I also tried configuring the trust store debugging, but that did not produce any extra logs to help me in debugging this further. Could it somehow be related to the fact that I'm trying to do the migration from a docker container?
There is a typo in the last commit. The wsConfig
is not search in the correct section. You should adapt the configuration file and put it in search.trustStore
like that:
search {
index = "the_hive"
uri = "https://instance:9200"
trustStore.wsConfig.ssl.loose.acceptAnyCertificate = true
This will be fixed in the next release.
Request Type
Bug
Work Environment
Problem Description
Starting with version 4.1.17 when running the migration tool in a docker container initialisation of the migration fails with
PKIX path building failed
. Exactly the same configs work for starting the migration in 4.1.16-1.Steps to Reproduce
docker pull thehiveproject/thehive4:4.1.17-1
docker run -it --entrypoint /bin/bash -v "/opt/app/thehive/hive3.conf:/etc/thehive/hive3.conf:rw" -v "/opt/app/thehive/application.conf:/etc/thehive/application.conf:rw" -v "/opt/app/thehive/es.jks:/etc/thehive/es.jks:rw" --network host docker.tw.ee/tw-secops-thehive
./bin/migrate -d --output /etc/thehive/application.conf --main-organisation ORG_NAME --input /etc/thehive/hive3.conf
Possible Solutions
Not a solution, but a workaround might be to enable
index.search.elasticsearch.ssl.allow-self-signed-certificates
for migration connections somehow.Complementary information
Full stack trace: