Cannot read configured [PKCS12] keystore (as a truststore)

diegz · October 5, 2022, 8:33am

Hello,

I configure TLS on all 5 nodes of my cluster.
I followed this documentation: https://www.elastic.co/guide/en/elasticsearch/reference/8.0/security-basic-setup.html#encrypt-internode-communication
I generated a CA with password and then a certificate per node from a yml file with this command :

bin/elasticsearch-certutil cert --ca /usr/share/elasticsearch/elastic-stack-ca.p12 --in /etc/elasticsearch/certs/stack/instance.yml --out elastic-stack-certs.zip -v

I gave a different password to each of the node certificates.
So I injected the password on each node of the cluster with the commands :

./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

As I have a different certificate for each node I am in full, my elasticsearch.yml config

xpack.security.enabled: true

#xpack.security.enrollment.enabled: false

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: /etc/elasticsearch/new/node-1.p12
  truststore.path: /etc/elasticsearch/new/node-1.p12
  client_authentication: required
  verification_mode: full
# Enable encryption and mutual authentication between cluster node
xpack.security.transport.ssl:
  enabled: true
  verification_mode: full
  client_authentication: required
  keystore.path: /etc/elasticsearch/new/node-1.p12
  truststore.path: /etc/elasticsearch/new/node-1.p12

When I restart the nodes, I get this error:

Caused by: org.elasticsearch.common.ssl.SslConfigException: cannot read configured [PKCS12] keystore (as a truststore) [/etc/elasticsearch/new/node-1.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
        at org.elasticsearch.common.ssl.SslFileUtil.ioException(SslFileUtil.java:56) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:98) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
        ... 23 more
Caused by: java.io.IOException: keystore password was incorrect
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1503) ~[?:?]
        at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
        ... 23 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1503) ~[?:?]
        at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:72) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.readKeyStore(StoreTrustConfig.java:94) ~[?:?]
        at org.elasticsearch.common.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:82) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:473) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSslConfigurations$11(SSLService.java:603) ~[?:?]
        ... 23 more

However, I have regenerated the certificates to check that the password is the same as in the keystore and truststore.
I checked the password in the keystore and truststore with the commands :

bin/elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password

system · November 2, 2022, 8:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.