Access denied to certs when starting Elasticsearch

Hi Everybody,

I'm experiencing some trouble when starting Elasticsearch:

java.nio.file.AccessDeniedException: /etc/elasticsearch/certs/elastic-stack-ca.p12

The outcome of "ls -l":

root@elk:/usr/share/elasticsearch# ls -l /etc/elasticsearch
total 44
drw-rw---- 2 root elasticsearch  4096 Dec  3 21:23 certs
-rw-rw---- 1 root elasticsearch   199 Dec  1 23:27 elasticsearch.keystore
-rw-rw---- 1 root elasticsearch  3212 Dec  5 21:46 elasticsearch.yml
-rw-rw---- 1 root elasticsearch  3665 Dec  3 23:02 jvm.options
-rw-rw---- 1 root elasticsearch 17545 Oct 28 21:54 log4j2.properties
-rw-rw---- 1 root elasticsearch   473 Oct 28 21:54 role_mapping.yml
-rw-rw---- 1 root elasticsearch   197 Oct 28 21:54 roles.yml
-rw-rw---- 1 root elasticsearch     0 Oct 28 21:54 users
-rw-rw---- 1 root elasticsearch     0 Oct 28 21:54 users_roles
root@elk:/usr/share/elasticsearch# ls -l /etc/elasticsearch/certs
total 8
-rw-rw---- 1 root elasticsearch 3443 Dec  3 10:20 elastic-certificates.p12
-rw-rw---- 1 root elasticsearch 2527 Dec  3 10:13 elastic-stack-ca.p12

The config-file looks like this:

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
cluster.name: my-elk
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: elk.local.net
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: 0.0.0.0
#
# Set a custom port for HTTP:
#
#http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.seed_hosts: ["192.168.139.155"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
#cluster.initial_master_nodes: ["192.168.139.155"]
#
# For more information, consult the discovery and cluster formation module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true

# Enable basic security: certificates are in /etc/elasticsearch/certs
# WLM - 2019dec2
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

I'm running Elasticsearch version 7.4.2 on Ubuntu 18.0.4.3.

Any suggestions on what could be wrong?
And how to fix that?

Thanks - Will

Hi,

You have permissions 660 on the certs directory. This should be 750 (rwxr-x---).
Regards, Alex

Thanks Alex - works as expected now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.