I am attempting to enable Minimal security on a 7 node V7.17.7 cluster using the Basic license, with the intent of moving on to Basic Security to allow us to upgrade to the latest version. I am working from this set of instructions, which I've attempted to use several times now.
I got as far as completing step 1 under "Create password for built-in users". As soon as I restarted the first node, I got this error:
"bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false]"
The logs showed that SSL failed attempting to connect with the other nodes. (Not surprising, as this was not configured yet.)
I attempted to run elasticsearch-setup-passwords so that I could enable SSL. It errored out:
I then stopped all the nodes again and set xpack.security.transport.ssl.enabled] to [true] to see if that would allow the cluster to start. I restarted all the nodes, which failed to connect because of missing certs, etc.
I was forced to set [xpack.security.enabled] to [false] on all the nodes to get the cluster back up.
How do I get out of this Catch-22 situation to be able to configure security?
You need to configure security before starting your cluster, the communication between nodes uses the certificates, you do not need a user for it, so you need to create the certificates, configure it in your nodes and start them.
After they start you can them configure the users.
Thanks very much for your reply and very complete Blog post. I am reviewing it and preparing my files before starting. In the section "Creating Kibana Certificate" it seems to assume that the Kibana node is a separate system; in my case Kibana is installed on two of the es nodes. In that case, can I use the same instances.yml file that is used to create the certs for the ES nodes earlier in the process? Or do I create one with only the two nodes that host Kibana?
I followed the procedure and it failed when I restarted the nodes. The first error listed was "unknown setting [xpack.security.autoconfiguration.enabled] ", which I guessed was perhaps introduced in Version 8. I tried commenting this out on all nodes, still failed to connect citing "[Error parsing Private Key from: /etc/elasticsearch/certs/es01/es01.key"
I stupidly had pasted the config block setting the location of the certs and keys without changing the path to the correct one matching the host name. I corrected that on all nodes and restarted. I still am trying to make sense out of all the errors that were logged, among them:
So I'm not sure where I went off the rails or how to decipher the vast logs to determine what is wrong. I commented out all the xpack.security settings and was able to bring the cluster back up.
[2022-12-06T11:40:20,871][ERROR][o.e.b.Bootstrap] [es01] Exception
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
Caused by: java.lang.IllegalStateException: Error parsing Private Key from: /etc/elasticsearch/certs/es01/es01.key
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.