I'm a beginner, and the latest release of elastic 8.x is a great product that automatically configures TLS security, solves previous complex deployments, and is perfect for a little white like me.
But I'm also having problems.
1, automatically created TLS certificate, feel that there is a password, when I try to export the certificate, the promotion needs to enter the password, I directly enter the car is a failure.
keytool -importcert -trustcacerts -noprompt -keystore transport.p12 -alias new-ca -file ca.crt
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Too many failures - try later
I deployed and tested two separate sets of elastic 8.x and wanted to test the Remote clusters, but it failed, and I guess it may be the cause of the certificate. How can I add the other person's certificate in the local trust list.
log:
ELK01.log:[2022-03-12T04:06:32,623][WARN ][o.e.c.s.DiagnosticTrustManager] [elk01] failed to establish trust with server at []; the server provided a certificate wit h subject name [CN=elk02], fingerprint [c8cd6bdb7972a9e2b43b51972899b77d3680123d], no keyUsage and no extendedKeyUsage; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certifica te is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [946aca8e39a5688b866022bc870e650f8f97036b]) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl (with trust configuration: StoreTrustConfig{path=certs/transpor t.p12, password=, type=PKCS12, algorithm=PKIX})]); this ssl context does trust a certificate with subject [CN=Elasticsearch security auto-configuration HTTP CA] but the trusted certificate has fingerprint [f6e2abf68a4d7c5d7def6b45104bd1eb8257c774]
OK, configuring for cross cluster search is a step beyond what auto-configuration can do for you, so it makes sense that you're trying to add another CA to the transport truststore.
The password for transport.p12 is stored in the elasticsearch.keystore and can get obtained by calling:
elaticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
(you may need to call bin/elaticsearch-keystore depending on how your PATH is setup).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
