Elastic http securing: access denied ("java.io.FilePermission" "/etc/pki/tls/private" "read")


Elastic 7.11.1
I am trying to secure http protcol.
But I am getting

2021-03-04T11:15:13,050][ERROR][o.e.b.Bootstrap          ] [dev-dc2-rk] Exception
java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/pki/tls/private" "read")

Although permissions are fine (others have "r"):

[root@dev-dc2-rk ~]# ls -lh / | grep etc
drwxr-xr-x. 101 root root 8.0K Mar 4 11:18 etc

[root@dev-dc2-rk ~]# ls -lh /etc/ | grep pki
drwxr-xr-x. 14 root root 4.0K Aug 13 2020 pki

[root@dev-dc2-rk ~]# ls -lh /etc/pki | grep tls
drwxr-xr-x. 5 root root 76 Dec 19 04:27 tls

[root@dev-dc2-rk ~]# ls -lh /etc/pki/tls | grep private
drwxr-xr-x. 2 root root 59 Mar 2 11:15 private

[root@dev-dc2-rk ~]# ls -lh /etc/pki/tls/private/
total 8.0K
-r--r--r-- 1 root elasticsearch 1.7K Apr 11 2019 priv.key

I also did try copying the key file to "/etc"

Then I get this:

2021-03-04T11:19:13,050][ERROR][o.e.b.Bootstrap          ] [dev-dc2-rk] Exception
java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc" "read")

Also, this same error comes for all of these:

  • xpack.security.http.ssl.key
  • xpack.security.http.ssl.certificate
  • xpack.security.http.ssl.certificate_authorities

Help needed.


Elasticsearch only has permission to read config files from within its own config directory, which probably isn't /etc/pki. See these docs for more details:

IMPORTANT: Any files that the security features use must be stored in the Elasticsearch configuration directory. Elasticsearch runs with restricted permissions and is only permitted to read from the locations configured in the directory layout for enhanced security.

and also step 4 of these docs which says to put the certs in the config directory.

Ok, thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.