error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Help
1

Hello everyone,

here's my problem:

I need to implement ElasticSearch. for that I use a docker-compose with elasticsearch, kibana, enterprise search.

I have a fullchain.pem, privkey.pem and for ca: ca-certificates.crt.

I work on an intern server (192.168..xxx.xxx). Elastic is on port 9200, kibana on 5601 and enterprise on 3002.

when i want to go on http all is ok but i need https for use some connector but when i try to reach 192.168..xxx.xxx:5601 I have an error: ERR_SSL_PROTOCOL_ERROR

so I tried with openssl s_client -connect 192.168.xxx.xxx:5601 and i had the 1408f10b error.

there is something weird: my /etc/ssl/certs/ca-certificates.crt look like this;

TbUwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBAMJKVvoVIXsoounlHfv4LcQ5lkFMOycsxGwYFYDGrK9HWS8mC+M2sO87
/kOXSTKZEhVb3xEp/6tT+LvBeA+snFOvV71ojD1pM/CjoCNjO2RnIkSt1XHLVip4
kqNPEjE2NuLe/gDEo2APJ62gsIq1NnpSob0n9CAnYuhNlCQT5AoE6TyrLshDCUrG
YQTlSTR+08TI9Q/Aqum6VF7zYytPT1DU/rl7mYw9wC68AivTxEDkigcxHpvOJpkT
+xHqmiIMERnHXhuBUDDIlhJu58tBf5E7oke3VIAb3ADMmpDqw8NQBmIMMMAVSKeo
WXzhriKi4gp6D/piq1JM4fHfyr6DDUI=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIKMfXkYgxsWO3W2DANBgkqhkiG9w0BAQsFADBnMQswCQYD
VQQGEwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBU
ZWNobm9sb2dpZXMgTGltaXRlZDEcMBoGA1UEAxMTZW1T

the certificates are there but they don't have names.

I a nooby so if you need another info that I miss sorry, i'll answer you with what you want

2

Those ports, are they http ports?

Https and http are usually on different ports. Other than getting your fullchain and key, did you tell your software to use them?

1 Like
3

Hello, thanks for your quick answer!

they works for http but documentation say also https

yes, here is my docker-compose

version: '2'
networks:
 elastic:
   driver: bridge 

volumes:
 elasticsearch:
   driver: local
 certs:  

services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.17.1
    restart: unless-stopped
    container_name: node1
    environment:
      cluster.name: my_cluster
      node.name: node1"  
      discovery.type: single-node
      ES_JAVA_OPTS: -Xms512m -Xmx512m
      xpack.security.enabled: "true"
      xpack.security.authc.api_key.enabled: "true"
      xpack.security.audit.enabled: "true"  
      ELASTIC_PASSWORD: ${ELASTIC_PASSWORD}
      xpack.security.transport.ssl.enabled: "true"
      xpack.security.transport.ssl.verification_mode: certificate 
      xpack.security.transport.ssl.certificate: /usr/share/elasticsearch/config/certificates/fullchain.pem
      xpack.security.transport.ssl.key: /usr/share/elasticsearch/config/certificates/privkey.pem
      xpack.security.transport.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca-certificates.crt
      xpack.security.http.ssl.verification_mode: certificate
      xpack.security.http.ssl.enabled: "true"
      #xpack.security.http.ssl.client_authentication: optional
      xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/certificates/ca-certificates.crt
      xpack.security.http.ssl.key: /usr/share/elasticsearch/config/certificates/privkey.pem
      xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certificates/fullchain.pem
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - elasticsearch:/usr/share/elasticsearch/data
      - /home/lenaic/ela/certs:$CERTS_DIR
    ports:
      - 9200:9200
    networks:
      - elastic

  ent-search:
    image: docker.elastic.co/enterprise-search/enterprise-search:7.17.1
    restart: unless-stopped
    depends_on:
      - "elasticsearch"
    environment:
      - "JAVA_OPTS=-Xms512m -Xmx512m"
      - "ENT_SEARCH_DEFAULT_PASSWORD=${ELASTIC_PASSWORD}"
      - "elasticsearch.username=elastic"
      - "elasticsearch.password=${ELASTIC_PASSWORD}"
      - "elasticsearch.host=https://elastic.mirahi.cloud:9200"
      - "allow_es_settings_modification=true"
      - "secret_management.encryption_keys=[${SECRET_MANAGEMENT_ENCRYPTION}]"
      - "elasticsearch.startup_retry.interval=15"
      - "ent_search.external_url=http://elastic.mirahi.cloud:3002"
      - "kibana.external_url=https://elastic.mirahi.cloud:5601"
      - "elasticsearch.ssl.enabled:true"
      - "elasticsearch.ssl.certificate:/usr/share/elasticsearch/config/certificates/fullchain.pem"
      - "elasticsearch.ssl.key:/usr/share/elasticsearch/config/certificates/privkey.pem"  
    ports:
      - 3002:3002
    networks:
      - elastic

  kibana:
    image: docker.elastic.co/kibana/kibana:7.17.1
    restart: unless-stopped
    depends_on:
      - "elasticsearch"
      - "ent-search"
    ports:
      - 5601:5601
    environment:
      ELASTICSEARCH_HOSTS: https://elastic.mirahi.cloud:9200
      enterpriseSearch.host: https://elastic.mirahi.cloud:3002
      ELASTICSEARCH_USERNAME: elastic
      server.host: 192.168.102.50
      server.name: elastic.mirahi.cloud
      elasticsearch_url: "https://192.168.102.50:9200"
      ELASTICSEARCH_PASSWORD: ${ELASTIC_PASSWORD}
      enterpriseSearch.ssl.verificationMode: certificate
      server.ssl.enable: "true"
      server.ssl.certificate: /usr/share/elasticsearch/config/certificates/fullchain.pem
      server.ssl.key: /usr/share/elasticsearch/config/certificates/privkey.pem
      elasticsearch.ssl.certificate: /usr/share/elasticsearch/config/certificates/fullchain.pem
      elasticsearch.ssl.verificationMode: certificate
      #elasticsearch.ssl.certificateAuthorities: /usr/share/elasticsearch/config/certificates/ca-certificates.crt
      elasticsearch.ssl.key: /usr/share/elasticsearch/config/certificates/privkey.pem
    networks:
      - elastic
    volumes:
      - certs:$CERTS_DIR
1 Like
4

These paths are right, are they?

This domain doesn't resolve to an IP address.

1 Like
5

My bad, the volumes wasn't correct but it change nothing.

the server is in intern so elastic.mirahi.cloud with Kibana = 192.168.102.50:5601
in http it works

Screenshot 2022-03-09 at 12.09.22

6

I don't know what to tell you. It's some TLS misconfiguration (did you enable TLS 1.2 and 1.3?)

It's hard to diagnose without being able to connect.

7

yes it's enable and when I force tls1_3 i have

CONNECTED(00000003)
140248793208128:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 244 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

I understand, thank you for your help

1 Like
8

Everything I find online is suggesting this server is http only.

You should probably read here: Set up basic security for the Elastic Stack plus secured HTTPS traffic | Elasticsearch Guide [8.1] | Elastic (does kibana.yml take that info from your docker-compose.yml? I dont'know that.)

And please realize that there are several TLS certificates there, some from your internal CA, for inter-node communication, and one from Let's Encrypt for kibana-client communication.

2 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.