Elasticsear 8.X TLS question

I'm a beginner, and the latest release of elastic 8.x is a great product that automatically configures TLS security, solves previous complex deployments, and is perfect for a little white like me.
But I'm also having problems.

1, automatically created TLS certificate, feel that there is a password, when I try to export the certificate, the promotion needs to enter the password, I directly enter the car is a failure.

keytool -importcert -trustcacerts -noprompt -keystore transport.p12 -alias new-ca -file ca.crt
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Too many failures - try later

  1. I deployed and tested two separate sets of elastic 8.x and wanted to test the Remote clusters, but it failed, and I guess it may be the cause of the certificate. How can I add the other person's certificate in the local trust list.

log:
ELK01.log:[2022-03-12T04:06:32,623][WARN ][o.e.c.s.DiagnosticTrustManager] [elk01] failed to establish trust with server at []; the server provided a certificate wit h subject name [CN=elk02], fingerprint [c8cd6bdb7972a9e2b43b51972899b77d3680123d], no keyUsage and no extendedKeyUsage; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certifica te is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [946aca8e39a5688b866022bc870e650f8f97036b]) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl (with trust configuration: StoreTrustConfig{path=certs/transpor t.p12, password=, type=PKCS12, algorithm=PKIX})]); this ssl context does trust a certificate with subject [CN=Elasticsearch security auto-configuration HTTP CA] but the trusted certificate has fingerprint [f6e2abf68a4d7c5d7def6b45104bd1eb8257c774]

What are you trying to achieve here?

Your comment says you want to export the certificate but the command you're running is -importcert.

We can help you sort it out, but I'm a bit confused about the problem you're trying to solve.

Haha, sorry my technique is as bad as my English.

1、I thought I could add additional CA certificates with this command.
Update security certificates with a different CA | Elasticsearch Guide [8.1] | Elastic

2、My main goal is to implement remote search for two elastic 8.x clusters (auto TLS config).
I don't know if there is an easy way to implement it.

OK, configuring for cross cluster search is a step beyond what auto-configuration can do for you, so it makes sense that you're trying to add another CA to the transport truststore.

The password for transport.p12 is stored in the elasticsearch.keystore and can get obtained by calling:

elaticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

(you may need to call bin/elaticsearch-keystore depending on how your PATH is setup).

I tried to export all possible passwords as follows:

[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore list
autoconfiguration.password_hash
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show autoconfiguration.password_hash
$2a$10$Jlv6FRis/WjOJHipf2aOuONJs8XiAPE7pe6t/SVl/SEeTS354ve16
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show keystore.seed
rgNDkOEu45py7mO4^ddc
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
kyvxymiBQ9aSHWYNEeCU_g
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
-AFRY_HTT-ukBOLvUjUBOQ
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
-AFRY_HTT-ukBOLvUjUBOQ

But all the passwords are invalid

[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: Invalid keystore format


I don't know what went wrong.
I just want to add the CA to the trust. To test the remote cluster :sob:

./bin/Elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
-AFRY_HTT-ukBOLvUjUBOQ

This is the password you need.

I can't explain why it didn't work in your test, but this is the correct password.

It's okay. Thank you for your support. Thank the community.

I'll try again.

[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

-AFRY_HTT-ukBOLvUjUBOQ

I noticed that the password was indeed correct.

but,it says "Invalid keystore format"

I wonder if this is true in your test environment.

If the format was truly invalid (which is theoretically possible, if the file had been corrupted), then your existing cluster would be unable to form.

What version of keytool are you using? Can you try using the copy of keytool from the JDK that ships with Elasticsearch?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.