Hi again!

I’m trying to move my siren server to a new server but I keep receiving the same weird error…
log [10:36:15.251] [error][siren_audit] Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate’s altnames: IP: is not in the cert’s list:
at new NodeError (internal/errors.js:322:7)
at Object.checkServerIdentity (tls.js:347:12)
at TLSSocket.onConnectSecure (_tls_wrap.js:1525:27)
at TLSSocket.emit (events.js:400:28)
at TLSSocket._finishInit (_tls_wrap.js:937:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:709:12)

Any idea what’s wrong?? First time I see this error…

Hi James,

Are you using self signed certificate or a certificate signed by an external CA?
If you have generated with an old server IP and host name to generate the certificate then you have to generate a new certificate for new server.

Manu Agarwal

Hi Manu,

Yeah I am. I’m using a self-signed certificate. Everything looks fine. I see everything works in the logs. The cluster is healthy. But siren still won’t connect…

’ log [12:48:30.416] [info][status][plugin:siren_audit@12.1.0] Status changed from green to green - Initialized
log [12:48:30.424] [info][elasticsearch] Fetching Elasticsearch API Version.
log [12:48:30.572] [error][siren_audit] Initialization of elasticsearch audit output failed. Response Error: 503 Service Unavailable
log [12:48:30.573] [error][siren_audit] Error: Response Error: 503 Service Unavailable
at internals.Client._shortcut (/opt/siren-investigate/node_modules/@hapi/wreck/lib/index.js:551:15)
at processTicksAndRejections (internal/process/task_queues.js:95:5)
at _fetchElasticsearchVersion (/opt/siren-investigate/src/siren_core_plugins/federate_resolver/elasticsearch/api_version.js:44:7)
at _fetchApiVersion (/opt/siren-investigate/src/siren_core_plugins/federate_resolver/elasticsearch/api_version.js:49:27)
at ElasticsearchAuditOutput.init (/opt/siren-investigate/src/siren_core_plugins/siren_audit/server/lib/elasticsearch_audit_output.js:128:24)
at ElasticsearchAuditOutput.initializeOutput (/opt/siren-investigate/src/siren_core_plugins/siren_audit/server/lib/elasticsearch_audit_output.js:196:12)
log [12:48:30.576] [error][status][plugin:elasticsearch@12.1.0] Status changed from uninitialized to red - Unable to connect to Elasticsearch at https://client:9220

[client] Not yet initialized (you may need to run sgadmin)

Hi James,

Can you share your investigate.yml file?

Manu Agarwal

Kibana is served by a back end server. This setting specifies the port to use.

#server.port: 5601

Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.

The default is ‘localhost’, which usually means remote machines will not be able to connect.

To allow connections from remote users, set this parameter to a non-loopback address. “”

Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects

the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests

to Kibana. This setting cannot end in a slash.

#server.basePath: “”

The maximum payload size in bytes for incoming server requests.

server.maxPayloadBytes: 30048576

The Kibana server’s name. This is used for display purposes. “your-hostname”

The URL of the Elasticsearch instance to use for all your queries.

elasticsearch.url: ‘https://client:9220

When this setting’s value is true Kibana uses the hostname specified in the

setting. When the value of this setting is false, Kibana uses the hostname of the host

that connects to this Kibana instance.

#elasticsearch.preserveHost: true

Kibana uses an index in Elasticsearch to store saved searches, visualizations and

dashboards. Kibana creates a new index if the index doesn’t already exist.

#kibana.index: “.kibana”

The default application to load.

kibana.defaultAppId: “dashboard”

If your Elasticsearch is protected with basic authentication, these settings provide

the username and password that the Kibana server uses to perform maintenance on the Kibana

index at startup. Your Kibana users still need to authenticate with Elasticsearch, which

is proxied through the Kibana server.

elasticsearch.username: ‘sirenserver’
elasticsearch.password: ‘password’

Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.

These settings enable SSL for outgoing requests from the Kibana server to the browser.

server.ssl.enabled: false
server.ssl.certificate: ‘pki/server.crt’
server.ssl.key: ‘pki/server.key’

Optional settings that provide the paths to the PEM-format SSL certificate and key files.

These files validate that your Elasticsearch backend uses the same key files.

#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

Optional setting that enables you to specify a path to the PEM file for the certificate

authority for your Elasticsearch instance.

elasticsearch.ssl.certificateAuthorities: [‘pki/searchguard/root-ca.pem’]

To disregard the validity of SSL certificates, change this setting’s value to ‘none’.

elasticsearch.ssl.verificationMode: full

Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of

the elasticsearch.requestTimeout setting.

#elasticsearch.pingTimeout: 1500

Time in milliseconds to wait for responses from the back end or Elasticsearch. This value

must be a positive integer.

#elasticsearch.requestTimeout: 30000

List of Kibana client-side headers to send to Elasticsearch. To send no client-side

headers, set this value to (an empty list).

#elasticsearch.requestHeadersWhitelist: [ authorization ]

Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten

by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.

#elasticsearch.customHeaders: {}

Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.

#elasticsearch.shardTimeout: 0

Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.

#elasticsearch.startupTimeout: 5000

Specifies the path where Kibana creates the process ID file.

#pid.file: /var/run/

Enables you specify a file where Kibana stores log output.

#logging.dest: stdout

Set the value of this setting to true to suppress all logging output.

#logging.silent: false

Set the value of this setting to true to suppress all logging output other than error messages.

#logging.quiet: false

Set the value of this setting to true to log all events, including system usage information

and all requests.

#logging.verbose: false

Set the interval in milliseconds to sample system and process performance

metrics. Minimum is 100ms. Defaults to 5000.

#ops.interval: 5000

Kibi default configuration

enabled: true
datasource_encryption_algorithm: ‘AES-GCM’
datasource_encryption_key: ‘iSxvZRYisyUW33FreTBSyJJ34KpEquWznUPDvn+ka14=’
datasource_cache_size: 501

auth_plugin: “searchguard”

Kibi Access Control configuration

enabled: true
secure: false
password: “12345678123456781234567812345678”
admin_role: investigate_admin
username: sirenalert
password: password
enabled: true

webservice configuration

Change global.enabled to true and create auth tokens for each service

to see the example Siren web services

enabled: false
enabled: false
auth_token: ‘change-me’
enabled: false
auth_token: ‘change-me’
enabled: false
key: ‘change-me’
secret: ‘change-me’

siren jira plugin configuration

change enabled to true and add the host name and basic_auth (or other supported) authentication information to connect to jira

check jira plugin documentation for authentication config details

enabled: false

I2 Plugin can be enabled or disabled here

enabled: false

Scripting configuration

Here list

- all browser APIs you allow to be used in your sirenapi scripts

- extra libraries you allow to be used in your sirenapi scripts, currently only lodash and moment are available

Audit configuration

simply enabling siren_audit plugin will store all audit log types in the same elasticsearch version

enabled: true

Sentinl configuration

app_name: ‘Sentinl’

algorithm: ‘RS256’
key: ‘pki/siren_dataspaces.pem’
passphrase: ‘password’

Hi James,

Can you please change elasticsearch.ssl.verificationMode: full to elasticsearch.ssl.verificationMode: none and see if that works?

Manu Agarwal

Now I’m getting:

[2022-07-14T17:17:35,674][INFO ][o.e.c.r.a.AllocationService] [client-1] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.searchguard_authtokens][0], [.searchguard_config_history][0]]]).
[2022-07-14T17:19:34,934][ERROR][c.f.s.a.BackendRegistry ] [client-1] Not yet initialized (you may need to run sgadmin)

When I curl https://client.elk:9220/_cat/health or any path I get - “curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number”

When I re-enable `elasticsearch.ssl.verificationMode:’ to full I get: “Search Guard not initialized (SG11)”

Not sure what’s going on. I might just delete everything and start over

When I try re-initiate searchgaurd the server goes up but is empty. i.e. I can login but when I enter the username and password I receive a blank page. No modules in the sidebar. Just a window that says click here to create a dashboard.

I think I was able to fix whatever that was. I reinstalled everything from scratch.

Ok great there might be an issue while moving the certificates that have created the issue.

Glad issue is sorted.