ERR_TLS_CERT_ALTNAME_INVALID error

Siren Platform/Investigate Tech Support Community
1

Hi again!

I’m trying to move my siren server to a new server but I keep receiving the same weird error…
log [10:36:15.251] [error][siren_audit] Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate’s altnames: IP: 22.89.091.427 is not in the cert’s list:
at new NodeError (internal/errors.js:322:7)
at Object.checkServerIdentity (tls.js:347:12)
at TLSSocket.onConnectSecure (_tls_wrap.js:1525:27)
at TLSSocket.emit (events.js:400:28)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)

Any idea what’s wrong?? First time I see this error…

2

Hi James,

Are you using self signed certificate or a certificate signed by an external CA?
If you have generated with an old server IP and host name to generate the certificate then you have to generate a new certificate for new server.

Regards
Manu Agarwal

3

Hi Manu,

Yeah I am. I’m using a self-signed certificate. Everything looks fine. I see everything works in the logs. The cluster is healthy. But siren still won’t connect…

’ log [12:48:30.416] [info][status][plugin:siren_audit@12.1.0] Status changed from green to green - Initialized
log [12:48:30.424] [info][elasticsearch] Fetching Elasticsearch API Version.
log [12:48:30.572] [error][siren_audit] Initialization of elasticsearch audit output failed. Response Error: 503 Service Unavailable
log [12:48:30.573] [error][siren_audit] Error: Response Error: 503 Service Unavailable
at internals.Client._shortcut (/opt/siren-investigate/node_modules/@hapi/wreck/lib/index.js:551:15)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at _fetchElasticsearchVersion (/opt/siren-investigate/src/siren_core_plugins/federate_resolver/elasticsearch/api_version.js:44:7)
at _fetchApiVersion (/opt/siren-investigate/src/siren_core_plugins/federate_resolver/elasticsearch/api_version.js:49:27)
at ElasticsearchAuditOutput.init (/opt/siren-investigate/src/siren_core_plugins/siren_audit/server/lib/elasticsearch_audit_output.js:128:24)
at ElasticsearchAuditOutput.initializeOutput (/opt/siren-investigate/src/siren_core_plugins/siren_audit/server/lib/elasticsearch_audit_output.js:196:12)
log [12:48:30.576] [error][status][plugin:elasticsearch@12.1.0] Status changed from uninitialized to red - Unable to connect to Elasticsearch at https://client:9220

4

[client] Not yet initialized (you may need to run sgadmin)

5

Hi James,

Can you share your investigate.yml file?

Regards
Manu Agarwal

6

Kibana is served by a back end server. This setting specifies the port to use.

#server.port: 5601

Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.

The default is ‘localhost’, which usually means remote machines will not be able to connect.

To allow connections from remote users, set this parameter to a non-loopback address.

server.host: “0.0.0.0”

Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects

the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests

to Kibana. This setting cannot end in a slash.

#server.basePath: “”

The maximum payload size in bytes for incoming server requests.

server.maxPayloadBytes: 30048576

The Kibana server’s name. This is used for display purposes.

#server.name: “your-hostname”

The URL of the Elasticsearch instance to use for all your queries.

elasticsearch.url: ‘https://client:9220

When this setting’s value is true Kibana uses the hostname specified in the server.host

setting. When the value of this setting is false, Kibana uses the hostname of the host

that connects to this Kibana instance.

#elasticsearch.preserveHost: true

Kibana uses an index in Elasticsearch to store saved searches, visualizations and

dashboards. Kibana creates a new index if the index doesn’t already exist.

#kibana.index: “.kibana”

The default application to load.

kibana.defaultAppId: “dashboard”

If your Elasticsearch is protected with basic authentication, these settings provide

the username and password that the Kibana server uses to perform maintenance on the Kibana

index at startup. Your Kibana users still need to authenticate with Elasticsearch, which

is proxied through the Kibana server.

elasticsearch.username: ‘sirenserver’
elasticsearch.password: ‘password’

Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

These settings enable SSL for outgoing requests from the Kibana server to the browser.

server.ssl.enabled: false
server.ssl.certificate: ‘pki/server.crt’
server.ssl.key: ‘pki/server.key’

Optional settings that provide the paths to the PEM-format SSL certificate and key files.

These files validate that your Elasticsearch backend uses the same key files.

#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

Optional setting that enables you to specify a path to the PEM file for the certificate

authority for your Elasticsearch instance.

elasticsearch.ssl.certificateAuthorities: [‘pki/searchguard/root-ca.pem’]

To disregard the validity of SSL certificates, change this setting’s value to ‘none’.

elasticsearch.ssl.verificationMode: full

Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of

the elasticsearch.requestTimeout setting.

#elasticsearch.pingTimeout: 1500

Time in milliseconds to wait for responses from the back end or Elasticsearch. This value

must be a positive integer.

#elasticsearch.requestTimeout: 30000

List of Kibana client-side headers to send to Elasticsearch. To send no client-side

headers, set this value to (an empty list).

#elasticsearch.requestHeadersWhitelist: [ authorization ]

Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten

by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.

#elasticsearch.customHeaders: {}

Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

#elasticsearch.shardTimeout: 0

Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.

#elasticsearch.startupTimeout: 5000

Specifies the path where Kibana creates the process ID file.

#pid.file: /var/run/kibana.pid

Enables you specify a file where Kibana stores log output.

#logging.dest: stdout

Set the value of this setting to true to suppress all logging output.

#logging.silent: false

Set the value of this setting to true to suppress all logging output other than error messages.

#logging.quiet: false

Set the value of this setting to true to log all events, including system usage information

and all requests.

#logging.verbose: false

Set the interval in milliseconds to sample system and process performance

metrics. Minimum is 100ms. Defaults to 5000.

#ops.interval: 5000

Kibi default configuration

investigate_core:
image_proxy:
enabled: true
datasource_encryption_algorithm: ‘AES-GCM’
datasource_encryption_key: ‘iSxvZRYisyUW33FreTBSyJJ34KpEquWznUPDvn+ka14=’
datasource_cache_size: 501

elasticsearch:
auth_plugin: “searchguard”

Kibi Access Control configuration

investigate_access_control:
enabled: true
cookie:
secure: false
password: “12345678123456781234567812345678”
admin_role: investigate_admin
sirenalert:
elasticsearch:
username: sirenalert
password: password
acl:
enabled: true

webservice configuration

Change global.enabled to true and create auth tokens for each service

to see the example Siren web services

web_services:
global:
enabled: false
webhose:
enabled: false
config:
auth_token: ‘change-me’
jsonwhois:
enabled: false
config:
auth_token: ‘change-me’
twitter:
enabled: false
config:
key: ‘change-me’
secret: ‘change-me’

siren jira plugin configuration

change enabled to true and add the host name and basic_auth (or other supported) authentication information to connect to jira

check jira plugin documentation for authentication config details

siren_jira_plugin:
enabled: false

I2 Plugin can be enabled or disabled here

i2_integration:
enabled: false

Scripting configuration

Here list

- all browser APIs you allow to be used in your sirenapi scripts

- extra libraries you allow to be used in your sirenapi scripts, currently only lodash and moment are available

Audit configuration

simply enabling siren_audit plugin will store all audit log types in the same elasticsearch version

siren_audit:
enabled: true

Sentinl configuration

sentinl:
app_name: ‘Sentinl’

shared_index_components:
dataspaceSignature:
algorithm: ‘RS256’
privateKey:
key: ‘pki/siren_dataspaces.pem’
passphrase: ‘password’

7

Hi James,

Can you please change elasticsearch.ssl.verificationMode: full to elasticsearch.ssl.verificationMode: none and see if that works?

Regards
Manu Agarwal

8

Now I’m getting:

[2022-07-14T17:17:35,674][INFO ][o.e.c.r.a.AllocationService] [client-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.searchguard_authtokens][0], [.searchguard_config_history][0]]]).
[2022-07-14T17:19:34,934][ERROR][c.f.s.a.BackendRegistry ] [client-1] Not yet initialized (you may need to run sgadmin)

9

When I curl https://client.elk:9220/_cat/health or any path I get - “curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number”

When I re-enable `elasticsearch.ssl.verificationMode:’ to full I get: “Search Guard not initialized (SG11)”

Not sure what’s going on. I might just delete everything and start over

10

When I try re-initiate searchgaurd the server goes up but is empty. i.e. I can login but when I enter the username and password I receive a blank page. No modules in the sidebar. Just a window that says click here to create a dashboard.

11

I think I was able to fix whatever that was. I reinstalled everything from scratch.

12

Ok great there might be an issue while moving the certificates that have created the issue.

Glad issue is sorted.