Create Certs fails following docker tls tutorial

Matthew_Field · April 1, 2020, 9:00am

I am following the tutorial to install docker.
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls-docker.html

When i run docker-compose -f create-certs.yml run --rm create_certs

I get the following error

[elastic-stack@dh7 ~]$ docker-compose -f create-certs.yml run --rm create_certs
Creating network "es_default" with the default driver
Creating volume "es_certs" with default driver
Pulling create_certs (docker.elastic.co/elasticsearch/elasticsearch:7.6.2)...
Trying to pull repository docker.elastic.co/elasticsearch/elasticsearch ... 
7.6.2: Pulling from docker.elastic.co/elasticsearch/elasticsearch
c808caf183b6: Already exists
d6caf8e15a64: Pull complete
b0ba5f324e82: Pull complete
d7e8c1e99b9a: Pull complete
85c4d6c81438: Pull complete
3119218fac98: Pull complete
914accf214bb: Pull complete
Digest: sha256:59342c577e2b7082b819654d119f42514ddf47f0699c8b54dc1f0150250ce7aa
Status: Downloaded newer image for docker.elastic.co/elasticsearch/elasticsearch:7.6.2
Exception in thread "main" java.nio.file.AccessDeniedException: /usr/share/elasticsearch/config/certificates/instances.yml
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:90)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:374)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:425)
	at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420)
	at java.base/java.nio.file.Files.newInputStream(Files.java:159)
	at java.base/java.nio.file.Files.newBufferedReader(Files.java:2915)
	at java.base/java.nio.file.Files.newBufferedReader(Files.java:2947)
	at org.elasticsearch.xpack.security.cli.CertificateTool.parseFile(CertificateTool.java:916)
	at org.elasticsearch.xpack.security.cli.CertificateTool.parseAndValidateFile(CertificateTool.java:889)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCertificateInformationList(CertificateTool.java:400)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:686)
	at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:91)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125)
	at org.elasticsearch.cli.Command.main(Command.java:90)
	at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)
unzip:  cannot find or open /certs/bundle.zip, /certs/bundle.zip.zip or /certs/bundle.zip.ZIP.

Thanks in advance for any help you can provide.

Sulayman · April 15, 2020, 4:54pm

Hi there, can you share your create-certs.yml? It looks like a permission error

Matthew_Field · April 15, 2020, 5:57pm

Actually i have solved the issue,

I added a :z to my volume mappings in docker compose.

    volumes:
      - data01:/usr/share/elasticsearch/data:z
      - certs:$CERTS_DIR:z

system · May 13, 2020, 5:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.