Cannot initialize SSL - Invalid keystore format

YaSe · March 14, 2020, 12:52pm

Hello all,

I have installed an Elasticsearch cluster (ECK) in my Kubernetes cluster (GKE) by using this tutorial.

I retrived the CA certificat tls.crt created by my ECK. Then, I used the following command to create a truststore.jks

keytool -import -trustcacerts -alias ca_root -file tls.crt -keystore truststore.jks

PS: I am using openjdk version "1.8.0_242"

Then, I create a Kubernetes secret:

apiVersion: v1
kind: Secret
metadata:
  name: elasticsearch-truststore-secret
  namespace: dev
type: Opaque
data:
  truststore.jks: <<content of truststore.jks in base64>>

Finally, I specified in the configuration of my spark job, the following information:

spark.es.nodes.wan.only                 true
spark.es.index.auto.create              true
spark.es.nodes                          https://smart-agriculture-elasticsearch-es-http
spark.es.port                           9200
spark.es.net.http.auth.user             elastic
spark.es.net.http.auth.pass             <<password of elastic user>>
spark.es.net.ssl                        true
spark.es.net.ssl.cert.allow.self.signed true
spark.es.net.ssl.truststore.location    file:///etc/secrets/elasticsearch/truststore.jks
spark.es.net.ssl.truststore.pass        test1234
spark.kubernetes.driver.secrets.elasticsearch-truststore-secret /etc/secrets/elasticsearch/truststore.jks
spark.kubernetes.executor.secrets.elasticsearch-truststore-secret /etc/secrets/elasticsearch/truststore.jks

I got the following error:

Caused by: java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663) at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) at java.security.KeyStore.load(KeyStore.java:1445) at org.elasticsearch.hadoop.rest.commonshttp.SSLSocketFactory.loadKeyStore(SSLSocketFactory.java:200) at org.elasticsearch.hadoop.rest.commonshttp.SSLSocketFactory.loadTrustManagers(SSLSocketFactory.java:226) at org.elasticsearch.hadoop.rest.commonshttp.SSLSocketFactory.createSSLContext(SSLSocketFactory.java:173) ... 41 more

I don't know what I am doing wrong.
Does anyone know how to solve this ?

YaSe · March 17, 2020, 10:19am

A little bit of help please, I didn't find a way !
Thanks

YaSe · March 20, 2020, 1:30pm

Solution in How to create Keystore and Truststore from CA Certificates