Can't enable 'Minimal' security

I am attempting to enable Minimal security on a 7 node V7.17.7 cluster using the Basic license, with the intent of moving on to Basic Security to allow us to upgrade to the latest version. I am working from this set of instructions, which I've attempted to use several times now.

I got as far as completing step 1 under "Create password for built-in users". As soon as I restarted the first node, I got this error:

"bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]"

The logs showed that SSL failed attempting to connect with the other nodes. (Not surprising, as this was not configured yet.)

I attempted to run elasticsearch-setup-passwords so that I could enable SSL. It errored out:

"Failed to determine the health of the cluster running at http://192.168.4.73:9200
Unexpected response code [503] from calling GET http://192.168.4.73:9200/_cluster/health?pretty
Cause: master_not_discovered_exception"

I then stopped all the nodes again and set xpack.security.transport.ssl.enabled] to [true] to see if that would allow the cluster to start. I restarted all the nodes, which failed to connect because of missing certs, etc.

I was forced to set [xpack.security.enabled] to [false] on all the nodes to get the cluster back up.

How do I get out of this Catch-22 situation to be able to configure security?

Thanks for any suggestions.

You need to configure security before starting your cluster, the communication between nodes uses the certificates, you do not need a user for it, so you need to create the certificates, configure it in your nodes and start them.

After they start you can them configure the users.

The steps you need to do are in the basic security documentation.

  • Create the Certificate Authority
  • Create the certificates for each node
  • Configure each node to use security and the certificates
  • Start the cluster

After that you can create the users or setup the passwords.

If it helps, I've made a small blog post about configuring security on Elastic 8, but is pretty similar on 7.17.

Thanks very much for your reply and very complete Blog post. I am reviewing it and preparing my files before starting. In the section "Creating Kibana Certificate" it seems to assume that the Kibana node is a separate system; in my case Kibana is installed on two of the es nodes. In that case, can I use the same instances.yml file that is used to create the certs for the ES nodes earlier in the process? Or do I create one with only the two nodes that host Kibana?

Thanks again.

You just need to make sure that the certificate name is the one for the host you are running.

I followed the procedure and it failed when I restarted the nodes. The first error listed was "unknown setting [xpack.security.autoconfiguration.enabled] ", which I guessed was perhaps introduced in Version 8. I tried commenting this out on all nodes, still failed to connect citing "[Error parsing Private Key from: /etc/elasticsearch/certs/es01/es01.key"

I stupidly had pasted the config block setting the location of the certs and keys without changing the path to the correct one matching the host name. I corrected that on all nodes and restarted. I still am trying to make sense out of all the errors that were logged, among them:

[o.e.c.NodeConnectionsService] [es01] failed to connect to {hd6}{qeDqvy-6SFGkOrmb8KSAJQ}{OaFRH4I5RXyDVKZk5ZFo3g}{192.168.4.6}{192.168.4.6:9300}{dilm}{ml.machin

e_memory=269701246976, rack=71-7, ml.max_open_jobs=512, xpack.installed=true, ml.max_jvm_size=26843545600, transform.node=false} (tried [1] times)

org.elasticsearch.transport.ConnectTransportException: [hd6][192.168.4.6:9300] connect_exception

Caused by: io.netty.channel.AbstractChannel$AnnotatedConnectException: Connection refused: 192.168.4.6/192.168.4.6:9300

So I'm not sure where I went off the rails or how to decipher the vast logs to determine what is wrong. I commented out all the xpack.security settings and was able to bring the cluster back up.

I get the same failure on all nodes:

[2022-12-06T11:40:20,871][ERROR][o.e.b.Bootstrap] [es01] Exception
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]

Caused by: java.lang.IllegalStateException: Error parsing Private Key from: /etc/elasticsearch/certs/es01/es01.key

Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

I'm not sure what this error is, I would recommend that you check the steps and try to them again.

Maybe follow the Elastic documentation as well.

Check the paths, variables names etc and avoid copying the instructions, type them yourself.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.