Documentation of elasticsearch-certutil is wrong for parameter --pass

muffl0n · November 5, 2018, 1:59pm

If you want to specify a blank password (without prompting), use --pass "" (with no =).

But that seems to be wrong:

$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip --pass ""
Exception in thread "main" java.lang.IllegalArgumentException: password empty
        at org.bouncycastle.jcajce.provider.symmetric.OpenSSLPBKDF$PBKDF.engineGenerateSecret(Unknown Source)
        at javax.crypto.SecretKeyFactory.generateSecret(SecretKeyFactory.java:330)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
        at org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcePEMEncryptorBuilder$1.encrypt(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.createPemObject(Unknown Source)
        at org.bouncycastle.openssl.MiscPEMGenerator.generate(Unknown Source)
        at org.bouncycastle.util.io.pem.PemWriter.writeObject(Unknown Source)
        at org.bouncycastle.openssl.jcajce.JcaPEMWriter.writeObject(Unknown Source)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$0(CertificateTool.java:798)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:936)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.lambda$generateAndWriteSignedCertificates$1(CertificateTool.java:797)
        at org.elasticsearch.xpack.security.cli.CertificateTool.lambda$fullyWriteZipFile$0(CertificateTool.java:950)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:994)
        at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteZipFile(CertificateTool.java:947)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$500(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.generateAndWriteSignedCertificates(CertificateTool.java:765)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:700)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

Not specifying the parameter at all works, though:

$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --silent -in /etc/elasticsearch/instances.yml --out /tmp/elasticsearch-ssl-certs.zip

Installed version: 6.4.2 (https://artifacts.elastic.co/packages/6.x/apt)

gbrown · November 5, 2018, 10:38pm

Thanks for noticing this and reporting it!

Could I ask you to open an issue on the Elasticsearch repository about this? We use GitHub to track bugs (including documentation bugs!) and it's most likely to get fixed if there's an open issue about it.

muffl0n · November 6, 2018, 7:24am

Sure! https://github.com/elastic/elasticsearch/issues/35285
Thanks for your quick reply!

TimV · November 7, 2018, 8:40am

The documentation is not very clear, but it's technically correct. (I say that not to be argumentative, just to explain what is happening here).

--pass "" does indeed specify a blank password. But PEM files don't support blank passwords, so you get the error that you saw.

Note that a blank password is different than "no password". You can have a PEM file with no password (an unencrypted key) but you cannot have one that is encrypted with the blank password.

That's different for PKCS#12, where you are required to have a password, but it is allowed to be blank.

I'll get the docs updated to be more clear about this, but if you just want a PEM file with no password, don't specify --pass at all.

system · December 5, 2018, 8:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.