ECE 2.4.2 - Error when we tried to configure elasticsearch.yml with xpack.security.http.ssl.keystore.path and xpack.security.http.ssl.truststore.path

Hi guys.
We're getting ECE error when we tried to configure elasticsearch.yml with xpack.security.http.ssl.keystore.path and xpack.security.http.ssl.truststore.path

ECE version: 2.4.2
ES containers: 7.4.2
Kibana containers: 7.4.2

Step by Step:

1. Create a new deployment on ECE Cloud UI.

2. Create .p12 certificates on ES container using the following commands:
   a) bin/elasticsearch-certutil ca b) bin/elasticsearch-certutil cert -v --ca elastic-stack-ca.p12

3. Copy the node certificate to the appropriate location: /elasticsearch/

4. Add credentials on keystore and truststore executing the following commands:
   bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
   bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
   bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
   bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

5. Go to my deployment on ECE Cloud UI and click on "Edit" --> Data "User setting overrides" ( User settings are appended to the elasticsearch.yml configuration file for your Elasticsearch cluster) , and add the following lines:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /elasticsearch/elastic-certificates.p12

6. Just click on save button

7. we are getting the following error on es.log:

ERROR][org.elasticsearch.bootstrap.Bootstrap] [instance-0000000000] Exception\njava.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:614) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.plugins.PluginsService.(PluginsService.java:163) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.node.Node.(Node.java:255) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) [elasticsearch-cli-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.4.2.jar:7.4.2]\nCaused by: java.lang.reflect.InvocationTargetException\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]\n\tat jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]\n\t... 15 more\nCaused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:449) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:121) ~[?:?]\n\tat org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:142) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]\n\tat jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]\n\t... 15 more\nCaused by: java.lang.IllegalArgumentException: you cannot specify a keystore and key file\n\tat org.elasticsearch.xpack.core.ssl.CertParsingUtils.createKeyConfig(CertParsingUtils.java:211) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:165) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:49) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:444) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:121) ~[?:?]\n\tat org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:142) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]\n\tat jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]\n\t... 15 more"
Caused by: java.lang.IllegalArgumentException: you cannot specify a keystore and key file
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.createKeyConfig(CertParsingUtils.java:211) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:165) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:49) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:444) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426) ~[?:?]
at java.util.HashMap.forEach(HashMap.java:1338) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:426) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:121) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:142) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:163) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.node.Node.(Node.java:255) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.4.2.jar:7.4.2]

ECE is automatically configured with certificates for http, which is why you're getting this error.

What exactly are you trying to achieve here?

Hi Tim! Thanks for Response!!!
I'm trying to Enable TLS and specify the information required to access the node’s certificate, in order to configure KIbana with OpenID Connect authentication (On ElasticCloudEnterprise).
https://www.elastic.co/guide/en/elasticsearch/reference/master/oidc-kibana.html.

All we need to do is configure SSO (Azure AD) on kibana (endpoint from ECE).

You'll have an easier time following the ECE specific doc for OpenID Connect:

• https://www.elastic.co/guide/en/cloud-enterprise/2.4/ece-secure-clusters-oidc.html

The general ES one may come in handy for some of the background information, but the ECE one will guide you through the correct steps for the ECE platform.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.