elastic-certificates.p12 generated using docker-compose with ES image 7.3.0 by command":
bin/elasticsearch-certutil cert --silent --pass xxxxx -out elastic-certificates.p12
and mounted on all nodes in ES cluster under /usr/share/elasticsearch/config with permissions:
600 elasticsearch:root elastic-certificates.p12
Containers crashed with such messages in ES log:
</> "Caused by: java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]",
"Caused by: java.lang.reflect.InvocationTargetException",
"Caused by: org.elasticsearch.ElasticsearchException: failed to initialize a TrustManagerFactory",
"Caused by: java.io.IOException: keystore password was incorrect",
"Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption."
</>
Any help will be appreciated.
Thanks in advance
Luda
The problem is that you are setting a password for your PKCS#12 file by passing --pass parameter, but then you're not providing that password to Elasticsearch for it to be able to decrypt and read your elastic-certificates.p12
If you want/need to use a password protected keystore/truststore, then you need to set also
Thank you, the masters started now, but in ES logs there is:
</> "message": "[xpack.security.transport.ssl.truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version." } </>
Is there a possibility to create p12 cert without password?
To be precise, these have not been changed but password has been deprecated in favor of secure_password.
Possible solution 3
If you can't/don't want to use secure settings, then you alternatively use elasticsearch-certutil to create a PEM formatted key and certificate that do not need to be password protected, using the --pem parameter
This should not be necessary. We assume that the password is blank if it is not specified. Simply create a PKCS#12 file with a blank password, and leave the .password (and .secure_password) unset.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.