Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot use x-pack with certificates containing IPv6 addresses #640

Closed
mattiasholmlund opened this issue Mar 8, 2018 · 6 comments
Closed

Comments

@mattiasholmlund
Copy link

mattiasholmlund commented Mar 8, 2018

Steps to reproduce:

  1. Generate a CA
  2. Generate a certificate that signs your local IPv6 address
  3. Sign the certificate generated in step 2 with the CA generated in step 1
  4. Start elasticsearch with x-pack and tell it to use your generated certificate
  5. Install node 8.10
  6. Try to use the elasticsearch npm-module to connect to your elasticsearch instance over https, telling it to trust anything signed by the CA certificate.

Expected result:

  1. Connection to server successful.

Actual result:

  1. Connection fails with
lib/elasticsearch-server.js [o.e.x.s.t.n.SecurityNetty4HttpServerTransp
ort] caught exception while handling client http traffic, closing connection [id: 0x30833649, L:0.0.0.0/0.0.0.0:9200 ! R:/0:0:0:0:0:0:0:1:40426]
Elasticsearch ERROR: 2017-09-04T10:48:31Z
  Error: Request complete with error
  GET https://[::1]:9200/_template/logstash => Hostname/IP doesn't match certificate's altnames: "Host: [. is not in the cert's altnames: IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1, IP Address:10.101.2.3, IP Address:FE80:0:0:0:0:AFF:FE65:203, IP Address:172.16.1.158, IP Address:FE80:0:0:0:0:44FF:FE42:27A"
      at Log.error (/opt/neti/ott-log/node_modules/elasticsearch/src/lib/log.js:226:56)
      at checkRespForFailure (/opt/neti/ott-log/node_modules/elasticsearch/src/lib/transport.js:261:18)
      at HttpConnector.<anonymous> (/opt/neti/ott-log/node_modules/elasticsearch/src/lib/connectors/http.js:158:7)
      at ClientRequest.bound (/opt/neti/ott-log/node_modules/lodash/dist/lodash.js:729:21)
      at emitOne (events.js:96:13)
      at ClientRequest.emit (events.js:188:7)
      at TLSSocket.socketErrorListener (_http_client.js:310:9)
      at emitOne (events.js:96:13)
      at TLSSocket.emit (events.js:188:7)
      at emitErrorNT (net.js:1277:8)
      at _combinedTickCallback (internal/process/next_tick.js:80:11)
      at process._tickCallback (internal/process/next_tick.js:104:9)

The problem is an issue in the agentkeepalive module: node-modules/agentkeepalive#53 That issue was resolved in agentkeepalive 3.4.1

Note that to test this you need a version of node that supports IPv6 addresses in certificates. This was added in node 8.10.0 and it is also available in a fairly recent 9.x release.

Connecting to an elasticsearch server over IPv6 without TLS works fine and x-pack with a TLS-certificate that contains an IPv4 address also works fine. The problem is only with TLS certificates that contain an IPv6 address. The problem is that url:s with IPv6 addresses are in the form https://[::1]:9200, i.e. with brackets around the address.

@mattiasholmlund
Copy link
Author

I have written code to reproduce the problem locally without installing elasticsearch. See https://github.com/mattiasholmlund/test-elasticsearch-ipv6-tls

@spalger
Copy link
Contributor

spalger commented Mar 9, 2018

Thanks for the reproduction @mattiasholmlund. I'm looking into upgrading agentkeepalive. The 3.0 changelog doesn't seem breaking to me, which probably means I'm missing something subtle...

@mattiasholmlund
Copy link
Author

I tried looking at the changelog for agentkeepalive as well. The change from 2.2.0 to 3.0.0 was some more tests, they started emitting a 'close' event and import of code from node 7.2.1. The module copies parts of the node source-code and patches it, so I guess that the import of new code from node was the "big" change. But they don't seem to follow semantic versioning, because I can't find any breaking changes.

The usage of agentkeepalive in this module (https://github.com/elastic/elasticsearch-js/blob/master/src/lib/connectors/http.js#L91) also matches the latest documentation for agentkeepalive, except that the keepAliveTimeout setting has been deprecated. But you already set freeSocketKeepAliveTimeout to the same value, so you can just remove keepAliveTimeout. (https://github.com/node-modules/agentkeepalive/blob/master/lib/agent.js#L22)

@spalger
Copy link
Contributor

spalger commented Mar 13, 2018

Just released the upgrade in 14.2.0, let me know how it goes 😄

@mattiasholmlund
Copy link
Author

Thanks for the release. It works great. Now I just need to get Kibana working with the same setup, but I think I can download the release tar-file for kibana and then use npm to replace the version of the elasticsearch module in Kibana.

@spalger
Copy link
Contributor

spalger commented Mar 13, 2018

You might have to do the node_modules replacement manually since we strip Kibana's deps in it's package.json to prevent npm from breaking non-standard things we do during the build step, but you should be able to make it work since you know what you're doing. Kibana 6.3 will ship with the new esjs version: elastic/kibana#17119

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants