Creation/error of a x.509 certificate

Hello,

I'm trying to produce x.509 crt and key for 4 instances that I have saved in a .yml file(Elastic, Kibana, Winlogbeat and Metricbeat)

I was trying to ro run the command /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca --pem --in instances.yml --out certs.zip to produce a ca.crt for the authority and a .crt and a .key for each instance.

When I try to run this command and the system prompt to me to insert a pwd for the ca I receive the error:

Exception in thread "main" java.nio.file.NoSuchFileException: --pem
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
	at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:422)
	at java.base/java.nio.file.Files.newInputStream(Files.java:160)
	at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:71)
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyPairsFromKeystore(CertParsingUtils.java:105)
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:96)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:366)
	at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:1027)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:361)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:347)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.getCAInfo(CertificateTool.java:759)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:701)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
	at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.Command.main(Command.java:50)
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

I tried to modify the command but it doesn't work.

Could u help me?
Thank u

Hi @EExisT
The Command is expecting the path to the CA file that you should have created in your first step

bin/elasticsearch-certutil ca

That would create the CA which you would pass in on the next command that you're trying to run

--ca <file_path>
Specifies the path to an existing CA key pair (in PKCS#12 format). This parameter cannot be used with the ca or csr parameters.

You're not providing a file, so the next option is it's looking at the dash --pem thinking it's a file Just as the error suggests

1 Like

Hi @stephenb,

when I try to pass the path of the CA I receive the following error:

Command

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca ./ca.crt --pem --in instances.yml --out certs.zip

Error

Exception in thread "main" java.nio.file.NoSuchFileException: ca.key
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
	at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:422)
	at java.base/java.nio.file.Files.newInputStream(Files.java:160)
	at org.elasticsearch.common.ssl.KeyStoreUtil.readKeyStore(KeyStoreUtil.java:71)
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyPairsFromKeystore(CertParsingUtils.java:105)
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:96)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:366)
	at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:1027)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:361)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:347)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.getCAInfo(CertificateTool.java:759)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:701)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
	at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.Command.main(Command.java:50)
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

Please share the command you used to create the CA... if you did .pem style you have to provide the private key as well and use this format as shown in the docs

(cert ([--ca <file_path>] | [--ca-cert <file_path> --ca-key <file_path>]

The Flow for creating certs is

Create a CA
Then use that CA to generate certificates.

I gave the following command:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca ./ca.crt --pem --in instances.yml --out certs.zip

So, I must give now also the .key path.
I will give this command:

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert ./ca.crt --ca-key ./ca.key --pem --in instances.yml --out certs.zip

Is it right?

Please show the command you used to generate the CA it would look like but yes perhaps... I don't know because you did not show me the command that create

There are 2 steps to generate certs see here

Step1 : Create a CA (need to show me this or Perhaps you did not run that)
Step2 : Use The CA to create the certs, this seem to be what you are trying to do.

We can help much better if you show all your steps...

Sorry @stephenb I misunderstood.

To produce the CA I gave this

/usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem 

This produce a zip that I unzipped and that I quote above.
Thank u:)

So yes use

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert ./ca.crt --ca-key ./ca.key --pem --in instances.yml --out certs.zip

assuming all the paths are correct.

when you create .pem there are always to parts the cert and the key

So now I gave the command /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert ./ca.crt --ca-key ./ca.key --pem --in instances.yml --out certs.zip, being in the CA directory, where the are both ca files(crt and key) but I get this...

Exception in thread "main" java.nio.file.NoSuchFileException: ca.crt
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
	at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:422)
	at java.base/java.nio.file.Files.newInputStream(Files.java:160)
	at org.elasticsearch.common.ssl.PemUtils.readCertificates(PemUtils.java:689)
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readX509Certificate(CertParsingUtils.java:53)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPemCA(CertificateTool.java:386)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:349)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.getCAInfo(CertificateTool.java:759)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:701)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
	at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.Command.main(Command.java:50)
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

that it seems to be the same previous one error

It's says it can't find the files .... where are the files, provide full paths to the files

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /full/path/to/file/ca.crt --ca-key /full/path/to/file/ca.key --pem --in /full/path/to/file/instances.yml --out /full/path/to/file/certs.zip,

Try running from

cd /usr/share/elasticsearch
./bin/elasticsearch-certutil cert --ca-cert ./ca.crt --ca-key ./ca.key --pem --in instances.yml --out certs.zip

or provide full path to the files or where ever you ran the command from before... this is just it can't find the files.

Hi @stephenb

/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert ./usr/share/elasticsearch/ca/ca.crt --ca-key ./usr/share/elasticsearch/ca/ca.key --pem --in instances.yml --out certs2.zip

This is the command with the full path of the ca.

Exception in thread "main" java.nio.file.NoSuchFileException: usr/share/elasticsearch/ca/ca.crt
	at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
	at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
	at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
	at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
	at java.base/java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:422)
	at java.base/java.nio.file.Files.newInputStream(Files.java:160)
	at org.elasticsearch.common.ssl.PemUtils.readCertificates(PemUtils.java:689)
	at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readX509Certificate(CertParsingUtils.java:53)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPemCA(CertificateTool.java:386)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:349)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.getCAInfo(CertificateTool.java:759)
	at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:701)
	at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:54)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:94)
	at org.elasticsearch.xpack.security.cli.CertificateTool.execute(CertificateTool.java:160)
	at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:85)
	at org.elasticsearch.cli.Command.main(Command.java:50)
	at org.elasticsearch.launcher.CliToolLauncher.main(CliToolLauncher.java:64)

How can you see the path is correct.

root@ubuntu-linux-22-04-desktop:/usr/share/elasticsearch/ca# pwd
/usr/share/elasticsearch/ca
root@ubuntu-linux-22-04-desktop:/usr/share/elasticsearch/ca# ls -l
totale 8
-rw-r--r-- 1 root root 1200 ott 21 16:32 ca.crt
-rw-r--r-- 1 root root 1679 ott 21 16:32 ca.key

It WORKS!

I gave all full path for the ca.crt, ca.key, input e outfit files and it produced the certificates...I don't know why cause the files were all in the path where I was placed...however thanks for the support @stephenb

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.