lmenezes/cerebro

acceptAnyCertificate and disableHostnameVerification no working

Open

#388 opened on Aug 6, 2019

View on GitHub
 (2 comments) (0 reactions) (0 assignees)JavaScript (5,411 stars) (721 forks)batch import
help wantedquestion

Description

Hello, I am trying to connect elasticsearch in an openshift cluster. Everything works fine when connected by service name, but it will prompt an error if connected via nodeport

! @7cm92gaee - Internal server error, for (POST) [/connect] ->
 
play.api.UnexpectedException: Unexpected exception[ConnectException: No subject alternative names matching IP address 10.192.31.116 found]
	at play.api.http.HttpErrorHandlerExceptions$.throwableToUsefulException(HttpErrorHandler.scala:319)
	at play.api.http.DefaultHttpErrorHandler.onServerError(HttpErrorHandler.scala:243)
	at play.core.server.AkkaHttpServer$$anonfun$1.applyOrElse(AkkaHttpServer.scala:382)
	at play.core.server.AkkaHttpServer$$anonfun$1.applyOrElse(AkkaHttpServer.scala:380)
	at scala.concurrent.Future.$anonfun$recoverWith$1(Future.scala:417)
Caused by: java.net.ConnectException: No subject alternative names matching IP address 10.192.31.116 found
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener.onFailure(NettyConnectListener.java:179)
	at play.shaded.ahc.org.asynchttpclient.netty.channel.NettyConnectListener$1.onFailure(NettyConnectListener.java:151)
	at play.shaded.ahc.org.asynchttpclient.netty.SimpleFutureListener.operationComplete(SimpleFutureListener.java:26)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:511)
	at play.shaded.ahc.io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:504)
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.192.31.116 found
	at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.192.31.116 found
	at java.base/sun.security.util.HostnameChecker.matchIP(Unknown Source)
	at java.base/sun.security.util.HostnameChecker.match(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source)
	at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)

It seems that the ip address does not match the certificate subject, so I tried to add play.ws.ssl.loose.acceptAnyCertificate = true in configuration file, but then i received a new error in web side

{"status":401,"body":{"error":"Authentication finally failed"}}

It can be accessed normally via curl

[root@localhost #143]# curl -vk -E ./admin-cert --key ./admin-key https://10.192.31.116:30001/_cluster/health
* About to connect() to 10.192.31.116 port 30001 (#0)
*   Trying 10.192.31.116...
* Connected to 10.192.31.116 (10.192.31.116) port 30001 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate from file
* 	subject: CN=system.admin,OU=OpenShift,O=Logging
* 	start date: May 31 12:11:42 2018 GMT
* 	expire date: May 30 12:11:42 2020 GMT
* 	common name: system.admin
* 	issuer: CN=logging-signer-test
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=logging-es,OU=OpenShift,O=Logging
* 	start date: May 31 12:11:52 2018 GMT
* 	expire date: May 30 12:11:52 2020 GMT
* 	common name: logging-es
* 	issuer: CN=logging-signer-test
> GET /_cluster/health HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.192.31.116:30001
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 388
< 
* Connection #0 to host 10.192.31.116 left intact
{"cluster_name":"logging-es","status":"green","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":40,"active_shards":40,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0}

This is the configuration file content

secret = "TkludBfg7GgGCd5L7bmL8WGGtshmwT56OcTelcWfgRDtetL85SQwf86SEnTvaGcK"
basePath = "/"
pidfile.path=/dev/null
rest.history.size = 50
data.path = "/etc/cerebro/data/cerebro.db"
play.ws.ssl {
  keyManager = {
    stores = [
      { type = "JKS", password="kspass", path = "/etc/cerebro/certs/admin.jks" }
    ]
  },
  trustManager = {
    stores = [
      { type = "JKS", password="tspass", path = "/etc/cerebro/certs/truststore" }
    ]
  }
}
play.ws.ssl.loose.acceptAnyCertificate = true
# play.ws.ssl.loose.disableHostnameVerification = true
es = {
  gzip = true
}
auth = {
}
hosts = [
  {
    # access via service name
    host = "https://logging-es:9200"
    name = "logging-es-exp"
  },
  {
    # access via nodeport
    host = "https://10.192.31.116:30001"
    name = "logging-es-exp-nodeport"
  }
]

Contributor guide

Tech stack
scalajava
Domain
backendsecurity
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Play Framework experienceSSL configuration
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
30
Research direction
The issue reports that `acceptAnyCertificate` and `disableHostnameVerification` flags in Play WS SSL do not work as expected when connecting to Elasticsearch via IP address. The user has provided a configuration file and error logs. To investigate, check the Play Framework version and relevant documentation for WS SSL loose settings. Look at the SSL configuration in the codebase (e.g., `application.conf`). Consider if there is a need to override SSL context programmatically. Also, verify if the flags are correctly placed and not overridden by other settings.