Cannot read configured pem certificate

I generated a PEM certificate for my Elasticsearch however, I am getting an error that it cannot read configured PEM certificate due to a permissions issue, however, I verified the permissions and it should have read/write/execute access.

Here is the error in journalctl that happens when I attempt to start Elasticsearch & the permissions assigned to the file.

[root@elastichost elasticsearch]# journalctl --unit elasticsearch | tail -n 100 | grep "failed to load SSL"
Mar 12 20:12:04 elastichost.internal systemd-entrypoint[27881]: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM certificate [/etc/elasticesearch/elastic.<removed-domain>.cer] because access to read the file is blocked; SSL resources should be placed in the [/etc/elasticsearch] directory
Mar 12 20:28:54 elastichost.internal systemd-entrypoint[28299]: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured PEM certificate [/etc/elasticesearch/elastic.<removed-domain>.cer] because access to read the file is blocked; SSL resources should be placed in the [/etc/elasticsearch] directory
[root@elastichost elasticsearch]# ls -ld $PWD/* | grep 'elastic\.'
-rwxrwxrwx 1 root elasticsearch  2289 Mar 12 20:05 /etc/elasticsearch/elastic.<removed-domain>.cer
-rwxrwxrwx 1 root elasticsearch  1675 Mar 12 20:05 /etc/elasticsearch/elastic.<removed-domain>.key

I have validated the certificate is in PEM format and not locked. Is there anything else I need to validate?
I have also attempted re-generating the certificate through my CA, and generating a new self-signed certificate via openSSL to verify the issue is not with the certificate itself.

The solution is right in the error message:

This is nothing to do with filesystem permissions - you have to put the files into that directory.

They are in the /etc/Elasticsearch/ directory.

And that would still be a permissions issue as that recommendation is to resolve potential permissions issues as files should inherit permissions from the directory in most scenarios.

Your configuration has a typo.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.