Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Cannot use x-pack with certificates containing IPv6 addresses

See original GitHub issue

Steps to reproduce:

Generate a CA
Generate a certificate that signs your local IPv6 address
Sign the certificate generated in step 2 with the CA generated in step 1
Start elasticsearch with x-pack and tell it to use your generated certificate
Install node 8.10
Try to use the elasticsearch npm-module to connect to your elasticsearch instance over https, telling it to trust anything signed by the CA certificate.

Expected result:

Connection to server successful.

Actual result:

Connection fails with

lib/elasticsearch-server.js [o.e.x.s.t.n.SecurityNetty4HttpServerTransp
ort] caught exception while handling client http traffic, closing connection [id: 0x30833649, L:0.0.0.0/0.0.0.0:9200 ! R:/0:0:0:0:0:0:0:1:40426]
Elasticsearch ERROR: 2017-09-04T10:48:31Z
  Error: Request complete with error
  GET https://[::1]:9200/_template/logstash => Hostname/IP doesn't match certificate's altnames: "Host: [. is not in the cert's altnames: IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:10.101.2.3, IP Address:FE80:0:0:0:0:AFF:FE65:203, IP Address:172.16.1.158, IP Address:FE80:0:0:0:0:44FF:FE42:27A"
      at Log.error (/opt/neti/ott-log/node_modules/elasticsearch/src/lib/log.js:226:56)
      at checkRespForFailure (/opt/neti/ott-log/node_modules/elasticsearch/src/lib/transport.js:261:18)
      at HttpConnector.<anonymous> (/opt/neti/ott-log/node_modules/elasticsearch/src/lib/connectors/http.js:158:7)
      at ClientRequest.bound (/opt/neti/ott-log/node_modules/lodash/dist/lodash.js:729:21)
      at emitOne (events.js:96:13)
      at ClientRequest.emit (events.js:188:7)
      at TLSSocket.socketErrorListener (_http_client.js:310:9)
      at emitOne (events.js:96:13)
      at TLSSocket.emit (events.js:188:7)
      at emitErrorNT (net.js:1277:8)
      at _combinedTickCallback (internal/process/next_tick.js:80:11)
      at process._tickCallback (internal/process/next_tick.js:104:9)

The problem is an issue in the agentkeepalive module: https://github.com/node-modules/agentkeepalive/pull/53 That issue was resolved in agentkeepalive 3.4.1

Note that to test this you need a version of node that supports IPv6 addresses in certificates. This was added in node 8.10.0 and it is also available in a fairly recent 9.x release.

Connecting to an elasticsearch server over IPv6 without TLS works fine and x-pack with a TLS-certificate that contains an IPv4 address also works fine. The problem is only with TLS certificates that contain an IPv6 address. The problem is that url:s with IPv6 addresses are in the form https://[::1]:9200, i.e. with brackets around the address.

Issue Analytics

State:
Created 6 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

mattiasholmlundcommented, Mar 12, 2018

I tried looking at the changelog for agentkeepalive as well. The change from 2.2.0 to 3.0.0 was some more tests, they started emitting a ‘close’ event and import of code from node 7.2.1. The module copies parts of the node source-code and patches it, so I guess that the import of new code from node was the “big” change. But they don’t seem to follow semantic versioning, because I can’t find any breaking changes.

The usage of agentkeepalive in this module (https://github.com/elastic/elasticsearch-js/blob/master/src/lib/connectors/http.js#L91) also matches the latest documentation for agentkeepalive, except that the keepAliveTimeout setting has been deprecated. But you already set freeSocketKeepAliveTimeout to the same value, so you can just remove keepAliveTimeout. (https://github.com/node-modules/agentkeepalive/blob/master/lib/agent.js#L22)

0reactions

spalgercommented, Mar 13, 2018

You might have to do the node_modules replacement manually since we strip Kibana’s deps in it’s package.json to prevent npm from breaking non-standard things we do during the build step, but you should be able to make it work since you know what you’re doing. Kibana 6.3 will ship with the new esjs version: https://github.com/elastic/kibana/pull/17119

Top Results From Across the Web

Elasticsearch X-Pack valid ssl certificate not trusted by client ...

The ssl client certificate is a file containing a public key generated by a client using its private key and signed by a...

IPv6 Address in SSL Certificate - Server Fault

Use of certificates using IP addresses. They are rare in the HTTPS world (because they defeat mass HTTPS virtual hosting), but do exist,...

Certificates and keys for Kibana and Logstash with X-Pack

Hello there, I'm setting up the ELK security using X-Pack, I generated the CA and Certs as suggested by the docs: bin/elasticsearch-certutil ...

Enable X-Pack Security for Elasticsearch - Arnaud Loos

Throughout this post we'll generate certificates for elasticsearch (using a root CA and certificates for each node signed with this root CA), as ......

Assigning IPv6 addresses to pods and services - Amazon EKS

As a result, you can't assign both IPv4 and IPv6 addresses to your pods and services. You select which IP family you want...