Certificates do not conform to algorithm constraints

Question

Certificates do not conform to algorithm constraints

CenkuSands opened this issue a year ago · 0 comments

Hi,

I've error for certificate when I run the command below.

./diagnostics.sh --host LOPVESUNAPPS01 --archiveType 'tar' --bypassDiagVerify -u xxxxx--password --ssl

18:54:01.179 [main] INFO co.elastic.support.BaseService - Diagnostic logger reconfigured for inclusion into archive
18:54:01.181 [main] INFO co.elastic.support.diagnostics.commands.CheckElasticsearchVersion - Getting Elasticsearch Version.
18:54:01.351 [main] ERROR co.elastic.support.rest.RestClient - Unexpected Execution Error
javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:360) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:303) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:298) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?:?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1511) ~[?:?]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1421) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) ~[?:?]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427) ~[?:?]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:376) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) ~[httpclient-4.5.13.jar:4.5.13]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) ~[httpclient-4.5.13.jar:4.5.13]
at co.elastic.support.rest.RestClient.execRequest(RestClient.java:87) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.rest.RestClient.execGet(RestClient.java:77) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.rest.RestClient.execQuery(RestClient.java:67) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.commands.CheckElasticsearchVersion.getElasticsearchVersion(CheckElasticsearchVersion.java:80) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.commands.CheckElasticsearchVersion.execute(CheckElasticsearchVersion.java:67) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.chain.DiagnosticChainExec.runDiagnostic(DiagnosticChainExec.java:43) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.DiagnosticService.exec(DiagnosticService.java:86) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.DiagnosticApp.main(DiagnosticApp.java:51) [diagnostics-8.5.0.jar:8.5.0]
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1665) ~[?:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1590) ~[?:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1534) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ~[?:?]
... 30 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 2048 bit key used with certificate: CN=venetian-VEPVICERAPPS02-CA, DC=venetian, DC=com, DC=mo
at sun.security.util.DisabledAlgorithmConstraints$KeySizeConstraint.permits(DisabledAlgorithmConstraints.java:890) ~[?:?]
at sun.security.util.DisabledAlgorithmConstraints$Constraints.permits(DisabledAlgorithmConstraints.java:522) ~[?:?]
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:257) ~[?:?]
at sun.security.util.DisabledAlgorithmConstraints.permits(DisabledAlgorithmConstraints.java:201) ~[?:?]
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:292) ~[?:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1661) ~[?:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1590) ~[?:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1534) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ~[?:?]
... 30 more
18:54:01.357 [main] ERROR co.elastic.support.diagnostics.commands.CheckElasticsearchVersion - Unanticipated error:
java.lang.RuntimeException: Certificates do not conform to algorithm constraints
at co.elastic.support.rest.RestClient.execRequest(RestClient.java:93) ~[diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.rest.RestClient.execGet(RestClient.java:77) ~[diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.rest.RestClient.execQuery(RestClient.java:67) ~[diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.commands.CheckElasticsearchVersion.getElasticsearchVersion(CheckElasticsearchVersion.java:80) ~[diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.commands.CheckElasticsearchVersion.execute(CheckElasticsearchVersion.java:67) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.chain.DiagnosticChainExec.runDiagnostic(DiagnosticChainExec.java:43) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.DiagnosticService.exec(DiagnosticService.java:86) [diagnostics-8.5.0.jar:8.5.0]
at co.elastic.support.diagnostics.DiagnosticApp.main(DiagnosticApp.java:51) [diagnostics-8.5.0.jar:8.5.0]
18:54:01.358 [main] INFO co.elastic.support.BaseService - Closing loggers.
18:54:01.358 [main] INFO co.elastic.support.BaseService - Archiving diagnostic results.