Does not exist]; nested: NoSuchFileException [/usr/share/elasticsearch/config/certificates/ca/ca.crt]

Teed · April 23, 2020, 3:07pm

I have a docker-compose with several Elasticsearch nodes, I need to put them auth and ssl.

But it sends me an error like this:
ElasticsearchSecurityException [failed to load SSL configuration [xpack.security.http.ssl]]; nested: ElasticsearchException [failed to initialize SSL TrustManager - certificate_authorities file [/usr/share/elasticsearch/config/certificates/ca/ca.crt] does not exist]; nested: NoSuchFileException [/usr/share/elasticsearch/config/certificates/ca/ca.crt];

I have these volumes:

volumes:
- '/ var / lib / pgsql / docker / elasticsearch / data: / usr / share / elasticsearch / data'
- certs: $ CERTS_DIR

ikakavas · April 23, 2020, 3:48pm

Please don't post unformatted code, logs, or configuration as it's very hard to read. In this specific case we can't be sure if your volumes definition is find or if you have added extra spaces by mistake here or in your docker compose file.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Also, please err on the side of providing more information if you are unsure. What you have shared so far is not really enough for anyone in these forums to help you out. What is $CERTS_DIR , where is it defined ? Also, why do you expect to have certificate in /usr/share/elasticsearch/config/certificates/ca/ca.crt ? Where is this configured ? How ?

Please share your docker compose file here instead of just snippets from it.

Teed · April 23, 2020, 4:06pm

Hello, thank you for your answer. Guide me with this:

https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html

CERTS_DIR=/usr/share/elasticsearch/config/certificates

For complete error details, refer to the log at /usr/share/elasticsearch/logs/elastic-udt-cluster.log
elasticsearch     | {"type": "server", "timestamp": "2020-04-23T15:48:04,655Z", "level": "ERROR", "component": "o.e.b.ElasticsearchUncaughtExceptionHandler", "cluster.name": "elastic-udt-cluster", "node.name": "elasticsearch", "message": "uncaught exception in thread [main]",
elasticsearch     | "stacktrace": ["org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.http.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - certificate_authorities file [/usr/share/elasticsearch/config/certificates/ca/ca.crt] does not exist]; nested: NoSuchFileException[/usr/share/elasticsearch/config/certificates/ca/ca.crt];",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) ~[elasticsearch-cli-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.http.ssl]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:524) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$4(SSLService.java:497) ~[?:?]",
elasticsearch     | "at java.util.HashMap.forEach(HashMap.java:1338) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:497) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:130) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:259) ~[?:?]",
elasticsearch     | "at org.elasticsearch.node.Node.lambda$new$9(Node.java:456) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",
elasticsearch     | "at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1621) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]",
elasticsearch     | "at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]",
elasticsearch     | "at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]",
elasticsearch     | "at org.elasticsearch.node.Node.<init>(Node.java:459) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.node.Node.<init>(Node.java:257) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "... 6 more",
elasticsearch     | "Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - certificate_authorities file [/usr/share/elasticsearch/config/certificates/ca/ca.crt] does not exist",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.TrustConfig.missingTrustConfigFile(TrustConfig.java:113) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.PEMTrustConfig.createTrustManager(PEMTrustConfig.java:55) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:427) ~[?:?]",
elasticsearch     | "at java.util.HashMap.computeIfAbsent(HashMap.java:1138) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:521) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$4(SSLService.java:497) ~[?:?]",
elasticsearch     | "at java.util.HashMap.forEach(HashMap.java:1338) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:497) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:130) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:259) ~[?:?]",
elasticsearch     | "at org.elasticsearch.node.Node.lambda$new$9(Node.java:456) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",
elasticsearch     | "at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1621) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]",
elasticsearch     | "at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]",
elasticsearch     | "at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]",
elasticsearch     | "at org.elasticsearch.node.Node.<init>(Node.java:459) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.node.Node.<init>(Node.java:257) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "... 6 more",
elasticsearch     | "Caused by: java.nio.file.NoSuchFileException: /usr/share/elasticsearch/config/certificates/ca/ca.crt",
elasticsearch     | "at sun.nio.fs.UnixException.translateToIOException(UnixException.java:92) ~[?:?]",
elasticsearch     | "at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111) ~[?:?]",
elasticsearch     | "at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:116) ~[?:?]",
elasticsearch     | "at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:219) ~[?:?]",
elasticsearch     | "at java.nio.file.Files.newByteChannel(Files.java:374) ~[?:?]",
elasticsearch     | "at java.nio.file.Files.newByteChannel(Files.java:425) ~[?:?]",
elasticsearch     | "at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:420) ~[?:?]",
elasticsearch     | "at java.nio.file.Files.newInputStream(Files.java:159) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:97) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readCertificates(CertParsingUtils.java:90) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.PEMTrustConfig.createTrustManager(PEMTrustConfig.java:51) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:427) ~[?:?]",
elasticsearch     | "at java.util.HashMap.computeIfAbsent(HashMap.java:1138) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:521) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$4(SSLService.java:497) ~[?:?]",
elasticsearch     | "at java.util.HashMap.forEach(HashMap.java:1338) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:497) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:142) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:130) ~[?:?]",
elasticsearch     | "at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:259) ~[?:?]",
elasticsearch     | "at org.elasticsearch.node.Node.lambda$new$9(Node.java:456) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",
elasticsearch     | "at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1621) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]",
elasticsearch     | "at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]",
elasticsearch     | "at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]",
elasticsearch     | "at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]",
elasticsearch     | "at org.elasticsearch.node.Node.<init>(Node.java:459) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.node.Node.<init>(Node.java:257) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.6.1.jar:7.6.1]",
elasticsearch     | "... 6 more"] }

ikakavas · April 23, 2020, 4:10pm

Have you done all that is described in https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html#get-started-docker-tls? Again, no one can really help you unless you share your docker compose file.

Teed · April 23, 2020, 4:15pm

If completely equal to:

https://www.elastic.co/guide/en/elastic-stack-get-started/current/get-started-docker.html

I only did the manual certificates.

 elasticsearch2:

        image: docker.elastic.co/elasticsearch/elasticsearch:7.6.1

        container_name: elasticsearch2

        ports:

          - "9201:9200"

        environment:

          - cluster.name=elastic-cluster

          - ELASTIC_USERNAME=elastic

          - ELASTIC_PASSWORD=***

          - xpack.license.self_generated.type=trial

          - xpack.security.enabled=true

          - xpack.security.http.ssl.enabled=true

          - xpack.security.http.ssl.key=$CERTS_DIR/elasticsearch2/elasticsearch2.key

          - xpack.security.http.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

          - xpack.security.http.ssl.certificate=$CERTS_DIR/elasticsearch2/elasticsearch2.crt

          - xpack.security.transport.ssl.enabled=true

          - xpack.security.transport.ssl.verification_mode=certificate

          - xpack.security.transport.ssl.certificate_authorities=$CERTS_DIR/ca/ca.crt

          - xpack.security.transport.ssl.certificate=$CERTS_DIR/elasticsearch2/elasticsearch2.crt

          - xpack.security.transport.ssl.key=$CERTS_DIR/elasticsearch2/elasticsearch2.key

          - node.name=elasticsearch2

          - http.cors.enabled=true

          - http.cors.allow-origin=*

          - bootstrap.memory_lock=true

          - node.max_local_storage_nodes=4

          - "ES_JAVA_OPTS=-Xms2g -Xmx2g"

          - discovery.seed_hosts=elasticsearch,elasticsearch2,elasticsearch3,elasticsearch4

          - cluster.initial_master_nodes=elasticsearch,elasticsearch2,elasticsearch3,elasticsearch4

        ulimits:

          memlock:

            soft: -1

            hard: -1

          nofile:

            soft: 65536

            hard: 65536

        volumes:

          - certs:$CERTS_DIR

        networks:

          - elasticNetwork

system · May 21, 2020, 4:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.