0

elasticsearch https error SEC_E_NO_CREDENTIALS (0x8009030E)

Hi,

I tried to run uberagent with elasticsearch. Elastic stack is up and running with https. 

Thats my uberAgent configuration:

`

[Receiver]
Name = Default
Type = Elasticsearch
Protocol = HTTP
Servers = https://winsrv:9200
TLSClientCertificate = LocalMachine\MY\c907cda2504be1e70dfdf03ce8b60890e69331e1

`

But I get the error: 

2020-04-06 00:05:40.716 +0200,ERROR,WORKGROUP,DESKTOP-RG4BL2G$,5852,DataTransportHttp::CurlSend,Sending to https://winsrv:9200/uberagent/uberagent/_bulk failed with: schannel: AcquireCredentialsHandle failed: SEC_E_NO_CREDENTIALS (0x8009030E) - No credentials are available in the security package

 

Certificate is installed in the personal certificate store and also the CA is installed under trusted root ca (in machine context). It is a self signed certificate (via elastic).

 

What can I do to fix this error? 

6 comments

  • Avatar
    Dominik Britz Official comment

    After removing the TLSClientCertificate setting it turned out that uberAgent is unable to contact a revocation server. Patrick is now testing with a "real" certificate instead of the default self-signed.

  • 0
    Avatar
    Dominik Britz

    Hi Patrick,

    The error message indicates that you did not specify credentials. For Elasticsearch credentials in format <username>:<password> can be used to authenticate to the Elasticsearch server. See uberAgent.conf.

    # Setting name: RESTToken
    # Description: Authentication token required by the Splunk HTTP Event Collector and by OMS Log Analytics.
    # For Type OMSLogAnalytics use the primary or the secondary key for the workspace.
    # For Type Elasticsearch credentials in format <username>:<password> can be used to authenticate to the Elasticsearch server.
    # Valid values: any string
    # Default: empty

    uberAgent uses the Windows certificate store for certificate validation. The setting TLSClientCertificate is not needed for Elastic, only for Kafka. From uberAgent's configuration file:

    # Setting name: TLSClientCertificate
    # Description: Client certificate to be used in HTTPS communications with REST endpoints
    # Valid values: <store location>\<store name>\<certificate thumbprint>
    # <store location> can be: CurrentUser, LocalMachine, CurrentService, Services, CurrentUserGroupPolicy, LocalMachineGroupPolicy, LocalMachineEnterprise
    # <store name> can be: MY, Root, Trust, CA (if in doubt, use MY)
    # <certificate thumbprint> is the thumbprint of the certificate to be used to authenticate the client to the server
    # Default: empty
    # Required: only for type Kafka if the REST proxy requires authentication

    Your config should look like this:

    [Receiver]
    Name = Default
    Type = Elasticsearch
    Protocol = HTTP
    Servers = https://winsrv:9200
    RESTToken = user:password

    Note that the RESTToken is only required if you have installed Elastic with X-Pack security.

     

  • 0
    Avatar
    Patrick Matula

    That was definitely a problem in my configuration. I modified that, restarted the uberAgent service. Still the same error message:

    2020-04-06 11:16:14.320 +0200,ERROR,WORKGROUP,DESKTOP-RG4BL2G$,10976,DataTransportHttp::CurlSend,Sending to https://winsrv:9200/uberagent/uberagent/_bulk failed with: schannel: AcquireCredentialsHandle failed: SEC_E_NO_CREDENTIALS (0x8009030E) - No credentials are available in the security package

  • 0
    Avatar
    Dominik Britz

    Have you X-Pack security enabled? Have you followed our instructions to set up Elastic? In particular section 4.2 from https://uberagent.com/docs/uberagent/latest/installation/backend/installing-elasticsearch/:

    If you enabled X-Pack security you need to pass the elastic user (configured during the setup) for the commands above. On Windows use the -Credential parameter, for Linux -u.

  • 0
    Avatar
    Patrick Matula

    Yes, the `Invoke-RestMethod`call was successful. I see uberagent in the index template. That seems fine to me. 

  • 0
    Avatar
    Dominik Britz

    Moving this to our support system as we need a log file for further troubleshooting.

Please sign in to leave a comment.