elasticsearch cannot read certificate file

vivere-dally · March 19, 2024, 7:52pm

I generated a certificate file with certbot. It is placed in /etc/letsencrypt/....

I created a group called elk where I added the elasticsearch user, and I recursively set it as the owning group for /etc/letsencrypt and recursively set the permissions to 770.

When I start elasticsearch via systemctl start elasticsearch.service, it is not able to read the file? Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/etc/letsencrypt/live/<domain>/fullchain.pem" "read")

Why is that?

What strategy would you recommend to be able to use the same certificate for elasticsearch and kibana?

TimV · March 20, 2024, 5:10am

If you check the log, you should find that there is more detail there.

Elasticsearch requires that all configuration files are in the config directory (the security manager prevents it from reading arbitrary directories).

You can symlink the certbot managed files into the ES configuration dir.

system · April 17, 2024, 5:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elasticsearch https error Elasticsearch elastic-stack-security	4	1580	October 29, 2019
Cannot read configured pem certificate Elasticsearch elastic-stack-security	4	3133	April 12, 2022
Kibana not trusting my elasticsearch/shield CA Elasticsearch elastic-stack-security	6	1775	July 6, 2017
How to use SSL LetsEncrypt in Kibana? Kibana elastic-stack-security	2	2250	December 17, 2020
Problem on elasticsearch document Elasticsearch	3	579	June 19, 2019

elasticsearch cannot read certificate file

Related topics