Unable to set passwords in elasticsearch with xpack

kishorerv93 · April 4, 2019, 3:34am

ES Version : 6.2.4

Running with configuration path: /home/ubuntu/elasticsearch/config

Testing if bootstrap password is valid for https://localhost:9200/_xpack/security/_authenticate?pretty
Exception in thread "main" java.lang.IllegalArgumentException: did not find a SSLContext for [SSLConfiguration{keyConfig=[keyStorePath=[certs/vraj-certificates.p12], keyStoreType=[PKCS12], keyStoreAlgorithm=[SunX509], trustStoreAlgorithm=[PKIX]], trustConfig=trustStorePath=[certs/vraj-certificates.p12], trustStoreAlgorithm=[PKIX]], cipherSuites=[[TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA]], supportedProtocols=[[TLSv1.2, TLSv1.1, TLSv1]], sslClientAuth=[REQUIRED], verificationMode=[FULL]}]
	at org.elasticsearch.xpack.core.ssl.SSLService.sslContextHolder(SSLService.java:331)
	at org.elasticsearch.xpack.core.ssl.SSLService.sslContext(SSLService.java:321)
	at org.elasticsearch.xpack.core.ssl.SSLService.sslSocketFactory(SSLService.java:192)
	at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.lambda$postURL$0(CommandLineHttpClient.java:96)
	at java.security.AccessController.doPrivileged(Native Method)
	at org.elasticsearch.xpack.security.authc.esnative.tool.CommandLineHttpClient.postURL(CommandLineHttpClient.java:94)
	at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$SetupCommand.checkElasticKeystorePasswordValid(SetupPasswordTool.java:278)
	at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool$AutoSetup.execute(SetupPasswordTool.java:127)
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:75)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
	at org.elasticsearch.cli.Command.main(Command.java:90)
	at org.elasticsearch.xpack.security.authc.esnative.tool.SetupPasswordTool.main(SetupPasswordTool.java:105)```

TimV · April 4, 2019, 5:26am

6.2.4 is almost a year old, there have been lots of bugs fixed since then (including this, I believe). Is there a reason you're trying to setup a new cluster on such an old version?

kishorerv93 · April 4, 2019, 5:54am

Well i initially tried with 6.7.0

when i was trying to set up password i get the below error


SSL connection to https://172.31.23.147:9200/_xpack/security/_authenticate?pretty failed: java.security.cert.CertificateException: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

ERROR: Failed to establish SSL connection to elasticsearch at https://172.31.43.127:9200/_xpack/security/_authenticate?pretty.```

my elasticsearch.yml config

master node

```
cluster.name: vraj
node.name: master
node.attr.zone: 1
node.master: true
node.data:  false
node.ingest: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/vraj-cert.p12
xpack.security.transport.ssl.truststore.path: certs/vraj-cert.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/vraj-cert.p12
xpack.security.http.ssl.truststore.path: certs/vraj-cert.p12
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*
network.host: [_site_,_local_]
discovery.zen.ping.unicast.hosts: ["172.31.35.116","172.31.23.189"]```

ikakavas · April 4, 2019, 1:43pm

Hi there,

The error message states

java.security.cert.CertificateException: No subject alternative names present

when elasticsearch-setup-passwords attempts to communicate with Elasticsearch on the http layer and suggests that you take a look at your xpack.security.http.ssl.* settings. I see

xpack.security.http.ssl.keystore.path: certs/vraj-cert.p12
xpack.security.http.ssl.truststore.path: certs/vraj-cert.p12

How did you create these files? Did you follow through our instructions in our docs ?

kishorerv93 · April 4, 2019, 2:46pm

Yes. I first created a ca cert by running the below command

/home/ubuntu/elasticsearch/bin/elasticsearch-certutil ca

then i created these certs with the below command

/home/ubuntu/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 --name vraj-cert.p12

kishorerv93 · April 4, 2019, 3:05pm

Hi,

It is only working when i hashed out this line from the yml file

xpack.security.http.ssl.enabled: true

it is not working the above line is set to true.

ikakavas · April 4, 2019, 3:13pm

It works because this disables TLS, but I assume this is not what you want to do.

You'd need to regenerate vraj-cert.p12 and use either --dns or --ip to add a subject alternate name to the certificate that is generated ( see here for the list of parameters for the elasticsearch-certutil tool).

kishorerv93 · April 4, 2019, 5:22pm

Thanks it worked.
Now i'm unable to start Kibana 6.7.0

elasticsearch.hosts: ["https://localhost:9200"]
xpack.security.encryptionKey: "<32chars>"
xpack.security.sessionTimeout: 600000
elasticsearch.ssl.verificationMode: none 
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"``

kibana is on the master elasticsearch instance. do i need to provide any additional configs in kibana.yml ?

Thanks

ikakavas · April 4, 2019, 5:30pm

Now i'm unable to start Kibana 6.7.0

You need to show us the logs. We can't know why it failed to start without them.

kishorerv93 · April 4, 2019, 5:30pm

This is happening with kibana 6.7.0

[17:28:24.835] [error][status][plugin:reporting@6.7.0] Status changed from uninitialized to red - [security_exception] failed to authenticate user [kibana], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } log [17:28:24.970] [warning][task_manager] PollError [security_exception] failed to authenticate user [kibana], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } log [17:28:24.970] [warning][task_manager] PollError [security_exception] failed to authenticate user [kibana], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } } log [17:28:24.972] [warning][maps] Error scheduling telemetry task, received NotInitialized: Tasks cannot be scheduled until after task manager is initialized! log [17:28:24.972] [warning][telemetry] Error scheduling task, received NotInitialized: Tasks cannot be scheduled until after task manager is initialized! log [17:28:24.974] [warning][reporting] Could not retrieve cluster settings, because of [security_exception] failed to authenticate user [kibana], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } }

But with Kibana 6.2.4 . I'm able to start kibana except few warnings such as.

You're running Kibana 6.2.4 with some different versions of Elasticsearch. Update Kibana or Elasticsearch to the same version to prevent compatibility issues: v6.7.0

Please Advice.

Thanks for your help

system · May 2, 2019, 5:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.