After X-pack Installation : Failed to authenticate user [elastic]

Hello Guys,
as i wanted to implement security in my Cluster, i followed along This Guide - an it all went well until

Step 6. Set the passwords for all built-in users.

When i try to execute the command:

bin/elasticsearch-setup-passwords interactive

I get the following Error:

Failed to authenticate user 'elastic' against http://X.X.X.X:9200/_security/_authenticate?pretty
Possible causes include:
 * The password for the 'elastic' user has already been changed on this cluster
 * Your elasticsearch node is running against a different keystore
   This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore

ERROR: Failed to verify bootstrap password

I know that the bootstrap password was set by my predecessor - i also have access to it - but still i don't know what i have to do here..
When i look into the elasticsearch Logs i see the following line:

[2020-03-20T12:49:02,575][INFO ][o.e.x.s.a.AuthenticationService] [Hostname] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]

The only configuration i have in my elasticsearch.yml file regarding xpack are the following: true true certificate /elkdata/certs/elastic-certificates.p12  /elkdata/certs/elastic-certificates.p12

Does anyone know what i have to do?

Thanks in advance!

bin/elasticsearch-setup-passwords is a convenient CLI tool to assist you with setting the password for the built in users. If you have changed the bootstrap.password then you can't use the tool, but you can very well use the Change Password API while authenticating as elastic with the password that you have to set the password for the rest of the built-in users, and potential change the password for the elastic user itself.

Hello ikakavas!
Thanks for the fast reply :slight_smile:
My problem is that i'm in a testing environment, so there's no "Active" Kibana-WebInterface - can i do the API Password Changes via CLI? Or is that a problem?

Elasticsearch's APIs do not require the use of Kibana. Check the Copy as CURL button in the examples in the documentation I linked to above

i've tried doing it that way - but it keeps telling me that the password is not correct so i did the following:

bin/elasticsearch-users useradd my_admin -p *Password* -r superuser

Then i restarded the elasticsearch-service - but even now with a new superuser if i do the REST-Request i get the following error:

 curl -u admin -XPUT 'X.X.X.X:9200/_xpack/security/user/elastic/_password?pretty' -H 'Content-Type: application/json' -d'
> {
>   "password" : "******************"
> }
> '
Enter host password for user 'admin':
  "error" : {
    "root_cause" : [
        "type" : "security_exception",
        "reason" : "unable to authenticate user [admin] for REST request [/_xpack/security/user/elastic/_password?pretty]",
        "header" : {
          "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
    "type" : "security_exception",
    "reason" : "unable to authenticate user [admin] for REST request [/_xpack/security/user/elastic/_password?pretty]",
    "header" : {
      "WWW-Authenticate" : "Basic realm=\"security\" charset=\"UTF-8\""
  "status" : 401

If i check if the user correctly listed :

bin/elasticsearch-users list
admin : superuser

Any ideas?

Somehow it told me in the logs that it finally loaded ".security_7"

Now everything works just fine :slight_smile:

adds users to the file realm. The file realm is not enabled by default, you need to enable it, then you could have used your admin user.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.