Cluster state is yellow when configuring minimal security

marone · April 15, 2021, 4:56pm

Greetings folks,

I have a cluster with two nodes (node1 and node2) running ELK 7.12, I activated security feature from this link Set up minimal security for Elasticsearch | Elasticsearch Guide [7.12] | Elastic, I followed all the steps, I successfully log in to kibana with a user/password, but unfortunately my cluster state is yellow, unable to reach my second node.

I run the command ./bin/elasticsearch-setup-passwords interactive from node1, when I try to run the same command from node2, I get the following error:

Checking cluster health: http://10.0.1.5:9200/_cluster/health?pretty
{
  "error" : {
    "root_cause" : [
      {
        "type" : "master_not_discovered_exception",
        "reason" : null
      }
    ],
    "type" : "master_not_discovered_exception",
    "reason" : null
  },
  "status" : 503
}


Failed to determine the health of the cluster running at http://10.0.1.5:9200
Unexpected response code [503] from calling GET http://10.0.1.5:9200/_cluster/health?pretty
Cause: master_not_discovered_exception

It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.

Do you want to continue with the password setup process [y/N]

The result command of cluster health:

{
  "cluster_name" : "my-cluster",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 14,
  "active_shards" : 14,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 4,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 77.77777777777779
}

elasticsearch.yml for node1:

cluster.name: my-cluster
cluster.initial_master_nodes: ["node1", "node2"]

node.name: node1

# Path to log files:
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
discovery.seed_hosts: ["node1", "node2"]
node.master: true
node.data: true
node.ingest: true
node.ml: false
node.transform: false
node.remote_cluster_client: false

## xpack

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

elasticsearch.yml for node2:

cluster.name: my-cluster
node.name: node2
network.host: 0.0.0.0
discovery.seed_hosts: ["node1", "node2"]
node.master: true
node.data: true
node.ingest: true
node.ml: false
node.transform: false
node.remote_cluster_client: false

## xpack

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true

elasticsearch log from node1:

[2021-04-15T21:32:47,389][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45270, profile=default}
[2021-04-15T21:32:48,389][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45274, profile=default}
[2021-04-15T21:32:49,389][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45278, profile=default}
[2021-04-15T21:32:50,390][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45282, profile=default}
[2021-04-15T21:32:51,393][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45284, profile=default}
[2021-04-15T21:32:52,390][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45286, profile=default}
[2021-04-15T21:32:53,390][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45296, profile=default}
[2021-04-15T21:32:54,390][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node1] received plaintext traffic on an encrypted channel, closing connection Netty4TcpChannel{localAddress=/10.0.1.4:9300, remoteAddress=/10.0.1.5:45298, profile=default}

elasticsearch log from node2:

[2021-04-15T21:32:58,325][WARN ][o.e.c.c.ClusterFormationFailureHelper] [node2] master not discovered or elected yet, an election requires one or more nodes that have already participated as master-eligible nodes in the cluster but this node was not master-eligible the last time it joined the cluster, have discovered [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] which is not a quorum; discovery will continue using [10.0.1.4:9300, 127.0.0.1:9300] from hosts providers and [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] from last-known cluster state; node term 26, last-accepted version 769 in term 26
[2021-04-15T21:33:07,251][WARN ][r.suppressed             ] [node2] path: /_license, params: {human=false}
org.elasticsearch.discovery.MasterNotDiscoveredException: null
        at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$2.onTimeout(TransportMasterNodeAction.java:219) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cluster.ClusterStateObserver$ContextPreservingListener.onTimeout(ClusterStateObserver.java:324) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cluster.ClusterStateObserver$ObserverClusterStateListener.onTimeout(ClusterStateObserver.java:241) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cluster.service.ClusterApplierService$NotifyTimeout.run(ClusterApplierService.java:590) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:673) [elasticsearch-7.12.0.jar:7.12.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
        at java.lang.Thread.run(Thread.java:832) [?:?]
[2021-04-15T21:33:08,326][WARN ][o.e.c.c.ClusterFormationFailureHelper] [node2] master not discovered or elected yet, an election requires one or more nodes that have already participated as master-eligible nodes in the cluster but this node was not master-eligible the last time it joined the cluster, have discovered [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] which is not a quorum; discovery will continue using [10.0.1.4:9300, 127.0.0.1:9300] from hosts providers and [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] from last-known cluster state; node term 26, last-accepted version 769 in term 26[2021-04-15T21:32:58,325][WARN ][o.e.c.c.ClusterFormationFailureHelper] [node2] master not discovered or elected yet, an election requires one or more nodes that have already participated as master-eligible nodes in the cluster but this node was not master-eligible the last time it joined the cluster, have discovered [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] which is not a quorum; discovery will continue using [10.0.1.4:9300, 127.0.0.1:9300] from hosts providers and [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] from last-known cluster state; node term 26, last-accepted version 769 in term 26
[2021-04-15T21:33:07,251][WARN ][r.suppressed             ] [node2] path: /_license, params: {human=false}
org.elasticsearch.discovery.MasterNotDiscoveredException: null
        at org.elasticsearch.action.support.master.TransportMasterNodeAction$AsyncSingleAction$2.onTimeout(TransportMasterNodeAction.java:219) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cluster.ClusterStateObserver$ContextPreservingListener.onTimeout(ClusterStateObserver.java:324) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cluster.ClusterStateObserver$ObserverClusterStateListener.onTimeout(ClusterStateObserver.java:241) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cluster.service.ClusterApplierService$NotifyTimeout.run(ClusterApplierService.java:590) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:673) [elasticsearch-7.12.0.jar:7.12.0]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630) [?:?]
        at java.lang.Thread.run(Thread.java:832) [?:?]
[2021-04-15T21:33:08,326][WARN ][o.e.c.c.ClusterFormationFailureHelper] [node2] master not discovered or elected yet, an election requires one or more nodes that have already participated as master-eligible nodes in the cluster but this node was not master-eligible the last time it joined the cluster, have discovered [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] which is not a quorum; discovery will continue using [10.0.1.4:9300, 127.0.0.1:9300] from hosts providers and [{node2}{8IbR4qo-QS-bYp5FuLbEtw}{qk42rRncT8yQVWHrBdHyzg}{10.0.1.5}{10.0.1.5:9300}{cdfhimsw}{xpack.installed=true, transform.node=false}] from last-known cluster state; node term 26, last-accepted version 769 in term 26

What I am missing please ?

ikakavas · April 15, 2021, 8:41pm

Can you share your elasticsearch.yml from the two nodes and relevant part of the nodes logs ?

marone · April 15, 2021, 9:37pm

I added the relevant information in my question
the command ./bin/elasticsearch-setup-passwords interactive I did it for node1, for node2 when I execute the same command I get the error that master node wasn't discovered yet, and in my conf both nodes are in the same cluster.

leandrojmp · April 16, 2021, 4:03am

You only run the command ./bin/elasticsearch-setup-passwords interactive once for a cluster, there is a warning in the documentation about that.

You also have this error in your logs: received plaintext traffic on an encrypted channel

This problem is probably caused by the fact that you secured the communications between the nodes but did not set the certificates.

You have this config in your elasticsearch.yml.

xpack.security.transport.ssl.enabled: true

For this to work you need to create a certificate and configure it in your nodes, you can do that following this part of the documentation.

Or you can remove the line xpack.security.transport.ssl.enabled from your elasticsearch.yml and let the nodes communicated between each other using plaintext.

The minimal security tutorial that you followed does not cover the configuration related to the communicaton between the nodes that you are using in your elasticsearch.yml, you need to follow the basic security tutorial, which is about securing the communication between the nodes.

The main security documentation page describe the security layers that you have.

marone · April 16, 2021, 2:05pm

Thanks for your reply. I followed the documentation you mentioned to set up a certificate for each node and when starting elasticsearch it raise following errors:

org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:530) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:462) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:292) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$17(Node.java:567) ~[elasticsearch-7.12.0.jar:7.12.0]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
    .......
    
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) [elasticsearch-cli-7.12.0.jar:7.12.0]
        at org.elasticsearch.cli.Command.main(Command.java:79) [elasticsearch-cli-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) [elasticsearch-7.12.0.jar:7.12.0]
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/elastic-certificates.p12]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.unreadableTrustConfigFile(TrustConfig.java:122) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:71) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        ... 26 more
Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) ~[?:?]
        at java.nio.file.Files.newByteChannel(Files.java:375) ~[?:?]
        at java.nio.file.Files.newByteChannel(Files.java:426) ~[?:?]
        at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
        at java.nio.file.Files.newInputStream(Files.java:160) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:96) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:66) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        ... 26 more
[2021-04-16T13:56:37,362][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [node2] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/elastic-certificates.p12]]; nested: AccessDeniedException[/etc/elasticsearch/elastic-certificates.p12];
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) ~[elasticsearch-cli-7.12.0.jar:7.12.0]
        at org.elasticsearch.cli.Command.main(Command.java:79) ~[elasticsearch-cli-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) ~[elasticsearch-7.12.0.jar:7.12.0]
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:530) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:462) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:292) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$17(Node.java:567) ~[elasticsearch-7.12.0.jar:7.12.0]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]
        at org.elasticsearch.node.Node.<init>(Node.java:571) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.node.Node.<init>(Node.java:278) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217) ~[elasticsearch-7.12.0.jar:7.12.0]
......
        ... 6 more
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/elastic-certificates.p12]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.unreadableTrustConfigFile(TrustConfig.java:122) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:71) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:462) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:292) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$17(Node.java:567) ~[elasticsearch-7.12.0.jar:7.12.0]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]
        at org.elasticsearch.node.Node.<init>(Node.java:571) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.node.Node.<init>(Node.java:278) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.12.0.jar:7.12.0]
        ... 6 more
Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:90) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106) ~[?:?]
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218) ~[?:?]
        at java.nio.file.Files.newByteChannel(Files.java:375) ~[?:?]
        at java.nio.file.Files.newByteChannel(Files.java:426) ~[?:?]
        at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]
        at java.nio.file.Files.newInputStream(Files.java:160) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:96) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:66) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1224) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
        ....
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) ~[elasticsearch-7.12.0.jar:7.12.0]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.12.0.jar:7.12.0]
        ... 6 more

and in elasticsearch.yml added the following lines:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

For removing xpack.security.transport.ssl.enabled: true, I already did that but elasticsearch failed to start -> systemd-entrypoint[10480]: bootstrap check failure [1] of [1]: Transport SSL must be enabled if security is enabled on a [basic] license. Please set [xpack.security.transport.ssl.enabled] to [true] or disable security by setting [xpack.security.enabled] to [false] elasticsearch kinda force me to keep transport ssl

leandrojmp · April 16, 2021, 2:41pm

Yeah, you are right, you will need to use TLS between the nodes.

The error you are getting now is caused by this:

Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/elastic-certificates.p12

Which means that the elasticsearch user can't access the file.

What are the permissions for the file? the elasticsearch user or group should have access to the file.

Try the following commands:

sudo chmod 644 /etc/elasticsearch/elastic-certificates.p12
sudo chown root:elasticsearch /etc/elasticsearch/elastic-certificates.p12

This should work as it will make the file readable by the elasticsearch group, but I'm assuming that you are running elasticsearch as a service.

marone · April 16, 2021, 2:54pm

Thanks it worked , indeed insufficient permission for the elastic-certificates.p12 file, before permission was -rw------- 1 root elasticsearch 3443 Apr 16 13:21 elastic-certificates.p12 after running chmod 644 elastic-certificates.p12 it grants the correct permission -> -rw-r--r-- 1 root elasticsearch 3443 Apr 16 13:21 elastic-certificates.p12, and cluster state now is green

system · May 14, 2021, 2:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.