Adding certificate to keystore

Hi ! Using Elastic 8.6.0 here

I started over a clean installation of Elastic and immediatly tried to overwrite the self-generate certificate of Elastic with my organization certificate (which is a certificate generate by an authority). To do so, I went over these steps:

  • uploaded my p12 on the elastic server
  • replace http.p12 and transport.p12 with my organization's p12 in elasticsearch.yml
  • overwrite all three parameters in the keystore :
sudo -u elasticsearch bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
sudo -u elasticsearch bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
sudo -u elasticsearch bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

with my p12 password.

Yet, my elastic won't start because it doesn't look to be trust by the keystore:

[2023-01-25T15:09:06,872][ERROR][o.e.b.Elasticsearch      ] [elastic-server] fatal exception while booting Elasticsearch
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/etc/elasticsearch/certs/organization.p12] does not contain any trusted certificate entries

or am I missing a point ?
I read the elasticsearch-keystore documentation to have a clue about where or how to add a trusted certificate but I haven't found anything. All the topics read here since to be outdated or not applying to my case.
Does anyone have anything to put me on the way ?

EDIT: I tried to use the /usr/share/elasticsearch/jdk/bin/keytool to import my crt to elasticsearch.keystore but end up with an exception:

keytool error: java.security.KeyStoreException: Unrecognized keystore format. Please load it with a specified type

and then I'm lost.

Many thanks,
Marius

Updating topic :slight_smile:

Lastly updating topic :slightly_frowning_face:

As the error stated, you need to add the trusted cert entry into the truststore.

I think you are confused. elasticsearch.keystore is where you store your password/secure settings using the elasticsearch-keystore command, not the keytool command that is used to modify your SSL/TLS keystore.

Hi ! Thanks for your answer :slight_smile:

I'm indeed confused about how certs work in general and in truststores more specifically. I know that I need to add the cert somewhere but I don't know where since I can't find any truststore file ?
From my knowledge, I tried to put it into the ca-certificates folder (even tho it is supposed to be trust publicly), and it doesn't work. From Internet's knowledge, I have to put it in a trustore using keytool but yet I don't know any trustore file to put it in.

Hope you can enlight me,
Thanks, Marius

Please share your current elasticsearch.yml file, but in short, the SSL/TLS truststore will be one of the .p12 files that you have.
You can refer to https://www.baeldung.com/java-import-cer-certificate-into-keystore on how to import your CA cert to the truststore.

Ok ! Thanks to you I've been able to understand how p12 was working
and managed to get the issue. For some reasons, my cert wasn't include in my p12 file.
But I'm struggling on the connexion with Kibana. Each time I try to auto configure, or use the elasticsearch-setup-passwords :

java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.1.1 found

I understand he's trying to request https://192.168.1.1:9200/_security/_authenticate?pretty
Yet, the certificate is now configured to *.domain.com (since my p12 is ok and elasticsearch will start with it). I'm actually looking for a parameter to make it request to https://server.domain.com:9200/ instead. Still haven't found it.

here's a few parameters of my elasticsearch.yml

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically
# generated to configure Elasticsearch security features on 25-01-2023 13:16:30
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/domain.com.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/domain.com.p12
  truststore.path: certs/domain.com.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["supervision-hostname"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0

#----------------------- END SECURITY AUTO CONFIGURATION -------------------------

I think I'm on the last step, would be awesome if you'd have a clue :slight_smile:
Marius

Looks like you tried to access Elasticsearch through IP address 192.168.1.1, but the IP is not in the certificate, hence the error.

I don't mean to try Elastic with its IP, he's like doing it by himself.

Each time I've been through an Elastic installation, he always acted by autoconfiguring kibana with its IP, no matter how I'd configure its hostname.
It wasn't a problem until now since I was using its self-generated certificate, but now that I don't have a hand on the certificate I'm using, I can't find where to set the host he has to try (which has to be server.domain.com:port instead of IP:port)

You can always configure Kibana to use the host name in kibana.yml.

Wouldn't it be into Elastic's configuration since I'm using elastic tools ?

For example, when using /usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token -s kibana :

12:28:37.833 [main] WARN  org.elasticsearch.common.ssl.DiagnosticTrustManager - failed to establish trust with server at [192.168.1.1]; the server provided a certificate with subject name [CN=*.domain.com,O=domain,ST=some place,C=FR], fingerprint [xxxx], keyUsage [digitalSignature, keyEncipherment] and extendedKeyUsage [serverAuth, clientAuth]; the certificate is valid between [2023-01-11T00:00:00Z] and [2024-02-11T23:59:59Z] (current time is [2023-01-30T11:28:37.822683247Z], certificate dates are valid); the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate has subject alternative names [DNS:*.domain.com,DNS:domain.com]; the certificate is issued by [CN=authority CA,O=name,L=name,ST=name,C=GB]; the certificate is signed by (subject [CN=name,O=name,L=name,ST=name,C=GB] fingerprint [xxxx]) signed by (subject [CN=name,O=name,L=name,ST=name,C=US] fingerprint [xxxx] {trusted issuer}) which is issued by [CN=name,O=name,L=name,ST=name,C=GB] (but that issuer certificate was not provided in the chain); the issuing certificate with fingerprint [xxxxx] is trusted in this ssl context ([xpack.security.http.ssl (with trust configuration: Composite-Trust{JDK-trusted-certs,StoreTrustConfig{path=certs/domain.com.p12, password=<non-empty>, type=PKCS12, algorithm=PKIX}})])
java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.1.1 found

Currently trying to face this

EDIT: found the --url parameter which lead to

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate

Keeping looking

ERROR: Unable to create an enrollment token. Elasticsearch node HTTP layer SSL configuration Keystore doesn't contain any PrivateKey entries where the associated certificate is a CA certificate

Your private key is missing in p12 keystore file.