Elasticsearch-certutil error

jacobot · November 6, 2018, 3:21pm

Hi,
when I issue the command bin/elasticsearch-certutil cert -v --ca elastic-stack-ca.p12

I get following, what could be issue?

Exception in thread "main" java.nio.file.NoSuchFileException: elastic-stack-ca.p12
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
        at java.nio.file.Files.newByteChannel(Files.java:361)
        at java.nio.file.Files.newByteChannel(Files.java:407)
        at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
        at java.nio.file.Files.newInputStream(Files.java:152)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:68)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:127)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:341)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:931)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:340)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:328)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:684)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

ikakavas · November 6, 2018, 9:13pm

The error is rather obvious :java.nio.file.NoSuchFileException: elastic-stack-ca.p12

Your command asks elasticsearch-certutil to create a X.509 certificates and a private key, while using the CA key and certificate that is contained in elastic-stack-ca.p12 file. However, you either haven't generated that file, or it lies in a different directory.

I would suggest that you read through our documentation, it would be a good starting point for using elasticsearch-certutil

jacobot · November 6, 2018, 10:19pm

The file exist, it is in the same directory as the previous issued command in "ca mode",

ikakavas · November 6, 2018, 10:27pm

Can you please share the output of running

ls -la elastic-stack-ca.p12

when you are in that same directory?

jacobot · November 6, 2018, 10:32pm

drwxrwxrwt 1 root root 4.0K Nov 6 22:27 .
drwxr-xr-x 1 root root 4.0K Nov 6 21:16 ..
-rw------- 1 elasticsearch elasticsearch 2.5K Nov 6 22:27 elastic-stack-ca.p12
drwx------ 2 elasticsearch elasticsearch 4.0K Nov 6 22:27 elasticsearch.sYIJmDY
W
drwxr-xr-x 2 elasticsearch elasticsearch 4.0K Nov 6 22:27 hsperfdata_elasticsea
rch

jacobot · November 6, 2018, 10:33pm

Is almost midnight here, will read answer tomorrow)

TimV · November 7, 2018, 6:58am

I assume you're running this as the elasticsearch user, so there shouldn't be any problem there.

Exactly what did you run to get that directory listing?
If you ran the command that @ikakavas asked for:

ls -la elastic-stack-ca.p12

Then that output is quite strange - it would imply that elastic-stack-ca.p12 is a directory, which it certainly shouldn't be.

Alternatively if you simply ran

ls -la

then where is the bin/ directory from your original command

bin/elasticsearch-certutil ...

Something doesn't quite add up between the commands you say you're running and the output we're seeing.

You can try

bin/elasticsearch-certutil cert -v --ca ${PWD}/elastic-stack-ca.p12

which will eliminate any strange path problems and the exception message will be explicit about which file we tried to read.

jacobot · November 7, 2018, 8:43am

Hi,

Yes, the output is what you get when you do ls -la or for specific file ls -la elastic-stack-ca.p12

-rw------- 1 elasticsearch elasticsearch 2.5K Nov 6 22:27 elastic-stack-ca.p12

We create these files in /tmp directory, btw
it is centos7 install

to create this file i issued command (while i am in /tmp)

/usr/share/elasticsearch/bin/elasticsearch-certutil ca

of course its full path because i am in /tmp, this is no problem ,

I issued
/usr/share/elasticsearch/bin/elasticsearch-certutil cert -v --ca ${PWD}/elastic-stack-ca.p12

Enter password for CA (/tmp/elastic-stack-ca.p12) :
Exception in thread "main" java.nio.file.NoSuchFileException: /tmp/elastic-stack-ca.p13
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
at java.nio.file.Files.newByteChannel(Files.java:361)
at java.nio.file.Files.newByteChannel(Files.java:407)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
at java.nio.file.Files.newInputStream(Files.java:152)
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:68)
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:127)
at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:341)
at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:931)
at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:340)
at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:328)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:684)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

on a side note
I did echo $? right after this command and I got 1

Ok i am trying this on a new machine, this is just weird

TimV · November 7, 2018, 8:53am

13?

system · December 5, 2018, 8:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with elasticsearch-certutil http and "ca certificate is not a CA" error Elasticsearch elastic-stack-security	5	1529	August 16, 2022
Access denied to certs when starting Elasticsearch Elasticsearch elastic-stack-security	3	5223	January 6, 2020
Xpack.security.transport.ssl setup issue Elasticsearch elastic-stack-security	4	364	October 5, 2022
ElasticSearch with SSL? Elasticsearch elastic-stack-security	12	21804	November 28, 2019
AccessDeniedException when trying to startup ElasticSearch Elasticsearch elastic-stack-security	5	7582	April 26, 2019

Elasticsearch-certutil error

Related Topics