Catch 22 with creating passwords

Running Elastic 7.12 Basic (I assume)

I'm stuck in a Catch 22 - when I enable x-pack security I cannot connect to elastic for setting passwords. When I disable x-pack security, and go to set passwords, it tells me security is not enabled on this system

when I do this:

#xpack.security.enabled: true
#xpack.security.transport.ssl.enabled: true

I can run elastic without authentication
but I want/need to run in secure mode

if I enable or uncomment the above and run bin/elasticsearch-setup-passwords interactive, it says it cannot connect to elastic

can anyone assist me on this? Thanks!

Hi
You need to set up built-in users passwords

The default username is elastic and password is changeme . You can check if authentication is enabled by running the same command you ran to check if Elasticsearch is working.

If I set xpack.security.enabled: true - I cannot use my cluster
If I set xpack.security.enabled: false - I cannot set any passwords
To tell you the truth. I have not even gotten into how to use authenticated users yet
so what's the command for testing if elastic is running while xpack is enabled?

enable xpack and login with elastic:changeme.
Did it work?

also, In order to successfully start elastic with xpack security enabled, I needed to add xpack.security.transport.ssl.enabled: true

could it be that I MUST have an ssl cert in place in order to connect to elastic?

How do I get prompted for a login?

I just tried to load the url for Kibana and get:

{"statusCode":401,"error":"Unauthorized","message":"missing authentication credentials for REST request [/.kibana_7.12.0/_search?from=0&rest_total_hits_as_int=true&size=1000]: security_exception"}

with xpack enabled

Thank you for your help BTW!

I suggest you start from the beginning.

This is my setting for x-pack (in dev machine)

discovery.type: single-node
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full 
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certs/DEV00V01.p12 
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certs/DEV00V01.p12

Not sure what's going on with your settings.

1 Like

I have the second 2 lines of your config and this:
discovery.zen.ping.unicast.hosts: ["192.168.0.4", "192.168.0.2", "192.168.0.3"]

ssl enabled if you want secure login to kibana. i.e https

yes I have ssl enabled, but no cert yet

@ricwhitney

Here is a step by step through that I wrote for a single secured Elasticsearch node with Kibana. It has worked for others.

I am not sure what configuration state you are in, but I would probably start over.

I'll take a Look at your guide.
I just started this morning
I had a successful cluster running yesterday (and can again by commenting the xpack stuff)
1 master node and two data nodes

Just be carefull as you are not running single node. Don't add this.

# Add the rest of these settings at the bottom of the file
discovery.type: single-node

Thanks, I figured I should not

Also did you see this? Trouble with the setup-password command. I am not sure which error you were getting.

Yes I would set up all the certs etc before you try to run the setup-passwords command... My walk through should have the correct "Meta Process" you will just need to make sure you do it all correct on all 3 nodes. setup-passwords is only run once though (in case that was not clear)

setup-passwords only once - on the master only? or once each on the three servers?

Once for the cluster.... Assuming you have a fully formed cluster.

On the master should be fine.

BTW 1 master + 2 Data ... Me I would do 3 Master / Data... more resilient, that is just my perspective.

1 Like

Thank you and Thanks for the perspective