AccessDeniedException when trying to startup ElasticSearch

ordner · March 29, 2019, 7:10am

I am following this tutorial here: https://www.elastic.co/blog/elasticsearch-security-configure-tls-ssl-pki-authentication
After generating the certs and moving them to config/certs and adding this to elasticsearch.yml:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

I am getting
java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/certs/elastic-certificates.p12

when I try to start Elasticsearch. I have performed curl -X POST "localhost:9200/_xpack/license/start_trial?acknowledge=true" before and also initialized the built-in user's passwords. So what is the problem?

my elastic user is in the wheel user group (CentOS 7)

ikakavas · March 29, 2019, 7:57am

Hi,

Did you change the permissions for the /usr/share/elasticsearch/config or /usr/share/elasticsearch after installation ?

Can you share with us the output of

ls -ld /usr/share/elasticsearch
ls -ld /usr/share/elasticsearch/config
ls -ld /usr/share/elasticsearch/config/certs
ls -la /usr/share/elasticsearch/config/certs

ordner · March 29, 2019, 9:05am

Hi. Thanks for the reply. Here it is:

[elastic@a8a3b00a1cc5 elasticsearch]$ ls -ld /usr/share/elasticsearch
drwxr-xr-x 9 elastic elastic 4096 Mar 29 06:20 /usr/share/elasticsearch
[elastic@a8a3b00a1cc5 elasticsearch]$ ls -ld /usr/share/elasticsearch/config
drwxr-xr-x 3 elastic elastic 4096 Mar 29 07:14 /usr/share/elasticsearch/config
[elastic@a8a3b00a1cc5 elasticsearch]$ ls -ld /usr/share/elasticsearch/config/certs
drwxr-xr-x 2 root root 4096 Mar 29 06:22 /usr/share/elasticsearch/config/certs
[elastic@a8a3b00a1cc5 elasticsearch]$ ls -la /usr/share/elasticsearch/config/certs
total 16
drwxr-xr-x 2 root    root    4096 Mar 29 06:22 .
drwxr-xr-x 3 elastic elastic 4096 Mar 29 07:14 ..
-rw------- 1 root    root    3451 Mar 29 06:05 elastic-certificates.p12
-rw------- 1 root    root    2527 Mar 29 06:05 elastic-stack-ca.p12

I assumed being a superuser, elastic and files activated by him can access any other files? So I also need to be the owner ??

ikakavas · March 29, 2019, 9:18am

elasticsearch runs as elastic user in centos. You'd need to make elastic the owner of certs dir so that it can read the files from there, as now only root can read them

drwxr-xr-x 2 root    root    4096 Mar 29 06:22 .
-rw------- 1 root    root    3451 Mar 29 06:05 elastic-certificates.p12
-rw------- 1 root    root    2527 Mar 29 06:05 elastic-stack-ca.p12

You can do this with

chown -R elastic:elastic /usr/share/elasticsearch/config/certs

as root.

ordner · March 29, 2019, 9:27am

Thank you it works now

system · April 26, 2019, 9:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.