Elasticsear 8.X TLS question

qq350162199 · March 12, 2022, 1:29pm

I'm a beginner, and the latest release of elastic 8.x is a great product that automatically configures TLS security, solves previous complex deployments, and is perfect for a little white like me.
But I'm also having problems.

1, automatically created TLS certificate, feel that there is a password, when I try to export the certificate, the promotion needs to enter the password, I directly enter the car is a failure.

keytool -importcert -trustcacerts -noprompt -keystore transport.p12 -alias new-ca -file ca.crt
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Enter keystore password:
Keystore password is too short - must be at least 6 characters
Too many failures - try later

I deployed and tested two separate sets of elastic 8.x and wanted to test the Remote clusters, but it failed, and I guess it may be the cause of the certificate. How can I add the other person's certificate in the local trust list.

log:
ELK01.log:[2022-03-12T04:06:32,623][WARN ][o.e.c.s.DiagnosticTrustManager] [elk01] failed to establish trust with server at []; the server provided a certificate wit h subject name [CN=elk02], fingerprint [c8cd6bdb7972a9e2b43b51972899b77d3680123d], no keyUsage and no extendedKeyUsage; the session uses cipher suite [TLS_AES_256_GCM_SHA384] and protocol [TLSv1.3]; the certificate does not have any subject alternative names; the certificate is issued by [CN=Elasticsearch security auto-configuration HTTP CA]; the certifica te is signed by (subject [CN=Elasticsearch security auto-configuration HTTP CA] fingerprint [946aca8e39a5688b866022bc870e650f8f97036b]) which is self-issued; the [CN=Elasticsearch security auto-configuration HTTP CA] certificate is not trusted in this ssl context ([xpack.security.transport.ssl (with trust configuration: StoreTrustConfig{path=certs/transpor t.p12, password=, type=PKCS12, algorithm=PKIX})]); this ssl context does trust a certificate with subject [CN=Elasticsearch security auto-configuration HTTP CA] but the trusted certificate has fingerprint [f6e2abf68a4d7c5d7def6b45104bd1eb8257c774]

TimV · March 14, 2022, 12:40am

What are you trying to achieve here?

Your comment says you want to export the certificate but the command you're running is -importcert.

We can help you sort it out, but I'm a bit confused about the problem you're trying to solve.

qq350162199 · March 15, 2022, 3:13am

Haha, sorry my technique is as bad as my English.

1、I thought I could add additional CA certificates with this command.
Update security certificates with a different CA | Elasticsearch Guide [8.1] | Elastic

2、My main goal is to implement remote search for two elastic 8.x clusters （auto TLS config）.
I don't know if there is an easy way to implement it.

TimV · March 15, 2022, 5:11am

OK, configuring for cross cluster search is a step beyond what auto-configuration can do for you, so it makes sense that you're trying to add another CA to the transport truststore.

The password for transport.p12 is stored in the elasticsearch.keystore and can get obtained by calling:

elaticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

(you may need to call bin/elaticsearch-keystore depending on how your PATH is setup).

qq350162199 · March 16, 2022, 10:05am

I tried to export all possible passwords as follows:

[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore list
autoconfiguration.password_hash
keystore.seed
xpack.security.http.ssl.keystore.secure_password
xpack.security.transport.ssl.keystore.secure_password
xpack.security.transport.ssl.truststore.secure_password
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show autoconfiguration.password_hash
$2a$10$Jlv6FRis/WjOJHipf2aOuONJs8XiAPE7pe6t/SVl/SEeTS354ve16
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show keystore.seed
rgNDkOEu45py7mO4^ddc
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.http.ssl.keystore.secure_password
kyvxymiBQ9aSHWYNEeCU_g
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password
-AFRY_HTT-ukBOLvUjUBOQ
[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
-AFRY_HTT-ukBOLvUjUBOQ

But all the passwords are invalid

[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: keystore password was incorrect
[root@elk01 242]# keytool -importcert -trustcacerts -noprompt -keystore /etc/Elasticsearch/certs/transport.p12 -alias new-ca -file /etc/Elasticsearch/certs/242/242_http_ca.crt
Enter keystore password:
keytool error: java.io.IOException: Invalid keystore format

I don't know what went wrong.
I just want to add the CA to the trust. To test the remote cluster

TimV · March 17, 2022, 4:26am

./bin/Elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password
-AFRY_HTT-ukBOLvUjUBOQ

This is the password you need.

I can't explain why it didn't work in your test, but this is the correct password.

qq350162199 · March 18, 2022, 6:12am

It's okay. Thank you for your support. Thank the community.

I'll try again.

qq350162199 · March 19, 2022, 5:15pm

[root@elk01 Elasticsearch]# ./bin/Elasticsearch-keystore show xpack.security.transport.ssl.truststore.secure_password

-AFRY_HTT-ukBOLvUjUBOQ

I noticed that the password was indeed correct.

but,it says "Invalid keystore format"

I wonder if this is true in your test environment.

TimV · March 20, 2022, 12:51am

If the format was truly invalid (which is theoretically possible, if the file had been corrupted), then your existing cluster would be unable to form.

What version of keytool are you using? Can you try using the copy of keytool from the JDK that ships with Elasticsearch?

system · April 17, 2022, 12:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Security error creating cluster Elasticsearch elastic-stack-security	1	200	November 15, 2023
Keytool asking for password for keystore , none applied ever Elasticsearch	1	406	January 18, 2023
Cannot read configured [PKCS12] keystore (as a truststore) Elasticsearch elastic-stack-security	1	7039	November 2, 2022
Cannot add new CA to keystore Elasticsearch elastic-stack-security	4	789	April 7, 2023
How configure .p12 certificate in Elasticsearch TLS/SSL? Elasticsearch elastic-stack-security	4	4547	November 26, 2018

Elasticsear 8.X TLS question

I tried to export all possible passwords as follows:

But all the passwords are invalid

Related Topics