Elasticsearch 7.4 unable to read truststore file

All:
I am having the same error as described in this post:

In my log file I get the following:
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - access to read truststore file [/etc/pki/java/truststore.jks] is blocked; SSL resources should be placed in the [/etc/elasticsearch/dspc] directory

Followed by:
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/pki/java/truststore.jks" "read")

However the Elasticsearch user should have permissions to the file as shown below:
[root@dspcnode04 dspc]# ls -alt /etc/pki/java total 60 drwxr-xr-x+ 15 root root 195 May 28 15:48 .. drwxr-xr-x. 2 root root 83 May 28 15:48 . -rw-r--r-- 1 root root 2467 May 28 15:48 keystore.jks -rw-r--r-- 1 root root 3992 May 28 15:48 keystore.p12 -rw-r--r-- 1 root root 53152 May 28 15:39 truststore.jks lrwxrwxrwx. 1 root root 40 May 25 20:39 cacerts -> /etc/pki/ca-trust/extracted/java/cacerts

Add to this I can run the command:

su elasticsearch -c 'cat /etc/pki/java/truststore.jks'

And see the file. The other posts I have found similar offer no help.
I am installing this ES on an existing cluster and need to use the existing certificates and trust/key stores.

I have looked through the tutorial and not found anything helpful.
Any idea on how to even approach debugging this?

UPDATE:
I have just tried the following:

  1. Linking the jks files in /etc/pki/java to /etc/Elasticsearch/dspc and changing the Elasticsearch.yml file to point to /etc/Elasticsearch/dspc. ----- That did not work.

  2. I copied the jks files to /etc/Elasticsearch/dspc , left the ownership and permissions (root, 644) the same and had the Elasticsearch.yml file point to them. ---- That did work.

So now my updated question:
Why does Elasticsearch 7.4 require the files to be in the configuration directory??

1 Like

This is not 7.4 specifically, all versions have this requirement.

Thanks, but this really make managing common certificates and key/trust stores in a large cluster difficult.

Was someone just trying to implement extra security?

I have multiple applications and tools that need to share common certs and keys. This is all managed through thousands of lines of puppet code.
At least provide me a variable to override the fixed location.

Spot on, that would certainly be us.

We grant ( via a SecurityManager policy ) the permission to read files only from within the configuration directory.

I think you are looking for ES_PATH_CONF, we don't have an override setting path only for key/certificate material

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.