Connection reset by peer - Shield RedHat

Elastic Stack Elasticsearch
1

Hi all,

I'm trying to install shield 2.4.4 along with elasticsearch 2.4.0 on RedHat Linux 7.3. When I install elasticsearch without shield I can query elasticsearch successfully using curl -X GET 'http://10.4.04:9200'

I install shield using:

/usr/share/elasticsearch/bin/plugin install license
/usr/share/elasticsearch/bin/plugin install shield

which looks like it works ok. When I query the elasticsearch service I can see:

sudo systemctl status elasticsearch.service -l
[sudo] password for owa_admin:
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2017-06-09 13:04:42 UTC; 11min ago
Docs: http://www.elastic.co
Process: 11017 ExecStartPre=/usr/share/elasticsearch/bin/elasticsearch-systemd-pre-exec (code=exited, status=0/SUCCESS)
Main PID: 11019 (java)
CGroup: /system.slice/elasticsearch.service
└─11019 /bin/java -Xms256m -Xmx1g -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -XX:+DisableExplicitGC -Dfile.encoding=UTF-8 -Djna.nosys=true -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/elasticsearch-2.4.0.jar:/usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch start -Des.pidfile=/var/run/elasticsearch/elasticsearch.pid -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.conf=/etc/elasticsearch

Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at java.nio.file.Files.newByteChannel(Files.java:361)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at java.nio.file.Files.newByteChannel(Files.java:407)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at java.nio.file.Files.newInputStream(Files.java:152)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at org.elasticsearch.shield.ssl.AbstractSSLService$SSLContextCacheLoader.readKeystore(AbstractSSLService.java:258)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: at org.elasticsearch.shield.ssl.AbstractSSLService$SSLContextCacheLoader.trustManagers(AbstractSSLService.java:245)
Jun 09 13:10:07 owausadata-0 elasticsearch[11019]: ... 24 more

which looks like there's an error there.

I can create an admin user using /usr/share/elasticsearch/bin/shield/esusers useradd es_admin -r admin
which works successfully. Now when I try and query elasticsearch using this user I get

curl -u es_admin -XGET 'http://10.4.0.4:9200/'
Enter host password for user 'es_admin':
curl: (56) Recv failure: Connection reset by peer

Have I missed a step or any pointers how to get this working?

Regards

2

It looks like you've enabled TLS (SSL) on your elasticsearch server. This is a feature of shield, but it is not enabled by default.

Did you explicitly set any shield.ssl.* settings in your config file?

3

Schlumberger-Private
Hi Tim,

Thanks for that. I copied the config file from another system with ssl turned on and that was the issue.

Many thanks

Regards,
Kenneth

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.