ECE 2.4.2 - Error when we tried to configure elasticsearch.yml with xpack.security.http.ssl.keystore.path and xpack.security.http.ssl.truststore.path

Elastic Stack Elasticsearch
,
1

Hi guys.
We're getting ECE error when we tried to configure elasticsearch.yml with xpack.security.http.ssl.keystore.path and xpack.security.http.ssl.truststore.path

ECE version: 2.4.2
ES containers: 7.4.2
Kibana containers: 7.4.2

Step by Step:

  1. Create a new deployment on ECE Cloud UI.

  2. Create .p12 certificates on ES container using the following commands:
    a) bin/elasticsearch-certutil ca b) bin/elasticsearch-certutil cert -v --ca elastic-stack-ca.p12

  3. Copy the node certificate to the appropriate location: /elasticsearch/

  4. Add credentials on keystore and truststore executing the following commands:
    bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
    bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
    bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

  5. Go to my deployment on ECE Cloud UI and click on "Edit" --> Data "User setting overrides" ( User settings are appended to the elasticsearch.yml configuration file for your Elasticsearch cluster) , and add the following lines:

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /elasticsearch/elastic-certificates.p12

  1. Just click on save button

  2. we are getting the following error on es.log:

ERROR][org.elasticsearch.bootstrap.Bootstrap] [instance-0000000000] Exception\njava.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:614) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.plugins.PluginsService.(PluginsService.java:163) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.node.Node.(Node.java:255) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:125) [elasticsearch-cli-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.4.2.jar:7.4.2]\n\tat org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.4.2.jar:7.4.2]\nCaused by: java.lang.reflect.InvocationTargetException\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]\n\tat jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]\n\t... 15 more\nCaused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:449) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:121) ~[?:?]\n\tat org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:142) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]\n\tat jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]\n\t... 15 more\nCaused by: java.lang.IllegalArgumentException: you cannot specify a keystore and key file\n\tat org.elasticsearch.xpack.core.ssl.CertParsingUtils.createKeyConfig(CertParsingUtils.java:211) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:165) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:49) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:444) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:430) ~[?:?]\n\tat org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:121) ~[?:?]\n\tat org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:142) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]\n\tat jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]\n\tat jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]\n\tat java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]\n\tat org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]\n\t... 15 more"
Caused by: java.lang.IllegalArgumentException: you cannot specify a keystore and key file
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.createKeyConfig(CertParsingUtils.java:211) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:165) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:49) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadConfiguration(SSLService.java:444) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$2(SSLService.java:426) ~[?:?]
at java.util.HashMap.forEach(HashMap.java:1338) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:426) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:121) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:142) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:605) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:556) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:471) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:163) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.node.Node.(Node.java:311) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.node.Node.(Node.java:255) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:221) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:349) ~[elasticsearch-7.4.2.jar:7.4.2]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.4.2.jar:7.4.2]

2

ECE is automatically configured with certificates for http, which is why you're getting this error.

What exactly are you trying to achieve here?

3

Hi Tim! Thanks for Response!!!
I'm trying to Enable TLS and specify the information required to access the node’s certificate, in order to configure KIbana with OpenID Connect authentication (On ElasticCloudEnterprise).
https://www.elastic.co/guide/en/elasticsearch/reference/master/oidc-kibana.html.

All we need to do is configure SSO (Azure AD) on kibana (endpoint from ECE).

4

You'll have an easier time following the ECE specific doc for OpenID Connect:

The general ES one may come in handy for some of the background information, but the ECE one will guide you through the correct steps for the ECE platform.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.