Elasticsearch-certutil error

security

#1

Hi,
when I issue the command bin/elasticsearch-certutil cert -v --ca elastic-stack-ca.p12

I get following, what could be issue?

Exception in thread "main" java.nio.file.NoSuchFileException: elastic-stack-ca.p12
        at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
        at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
        at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
        at java.nio.file.Files.newByteChannel(Files.java:361)
        at java.nio.file.Files.newByteChannel(Files.java:407)
        at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
        at java.nio.file.Files.newInputStream(Files.java:152)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:68)
        at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:127)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:341)
        at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:931)
        at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:340)
        at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:328)
        at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:684)
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
        at org.elasticsearch.cli.Command.main(Command.java:90)
        at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

Java error elasticsearch-certutil
(Ioannis Kakavas) #2

The error is rather obvious :java.nio.file.NoSuchFileException: elastic-stack-ca.p12

Your command asks elasticsearch-certutil to create a X.509 certificates and a private key, while using the CA key and certificate that is contained in elastic-stack-ca.p12 file. However, you either haven't generated that file, or it lies in a different directory.

I would suggest that you read through our documentation, it would be a good starting point for using elasticsearch-certutil


#3

The file exist, it is in the same directory as the previous issued command in "ca mode",


(Ioannis Kakavas) #4

Can you please share the output of running

ls -la elastic-stack-ca.p12

when you are in that same directory?


#5

drwxrwxrwt 1 root root 4.0K Nov 6 22:27 .
drwxr-xr-x 1 root root 4.0K Nov 6 21:16 ..
-rw------- 1 elasticsearch elasticsearch 2.5K Nov 6 22:27 elastic-stack-ca.p12
drwx------ 2 elasticsearch elasticsearch 4.0K Nov 6 22:27 elasticsearch.sYIJmDY
W
drwxr-xr-x 2 elasticsearch elasticsearch 4.0K Nov 6 22:27 hsperfdata_elasticsea
rch


#6

Is almost midnight here, will read answer tomorrow)


(Tim Vernum) #7

I assume you're running this as the elasticsearch user, so there shouldn't be any problem there.

Exactly what did you run to get that directory listing?
If you ran the command that @ikakavas asked for:

ls -la elastic-stack-ca.p12

Then that output is quite strange - it would imply that elastic-stack-ca.p12 is a directory, which it certainly shouldn't be.

Alternatively if you simply ran

ls -la

then where is the bin/ directory from your original command

bin/elasticsearch-certutil ...

Something doesn't quite add up between the commands you say you're running and the output we're seeing.

You can try

bin/elasticsearch-certutil cert -v --ca ${PWD}/elastic-stack-ca.p12

which will eliminate any strange path problems and the exception message will be explicit about which file we tried to read.


#8

Hi,

Yes, the output is what you get when you do ls -la or for specific file ls -la elastic-stack-ca.p12

-rw------- 1 elasticsearch elasticsearch 2.5K Nov 6 22:27 elastic-stack-ca.p12

We create these files in /tmp directory, btw
it is centos7 install

to create this file i issued command (while i am in /tmp)

/usr/share/elasticsearch/bin/elasticsearch-certutil ca

of course its full path because i am in /tmp, this is no problem ,

I issued
/usr/share/elasticsearch/bin/elasticsearch-certutil cert -v --ca ${PWD}/elastic-stack-ca.p12

Enter password for CA (/tmp/elastic-stack-ca.p12) :
Exception in thread "main" java.nio.file.NoSuchFileException: /tmp/elastic-stack-ca.p13
at sun.nio.fs.UnixException.translateToIOException(UnixException.java:86)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:102)
at sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:107)
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:214)
at java.nio.file.Files.newByteChannel(Files.java:361)
at java.nio.file.Files.newByteChannel(Files.java:407)
at java.nio.file.spi.FileSystemProvider.newInputStream(FileSystemProvider.java:384)
at java.nio.file.Files.newInputStream(Files.java:152)
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readKeyStore(CertParsingUtils.java:68)
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.readPkcs12KeyPairs(CertParsingUtils.java:127)
at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$loadPkcs12CA$1(CertificateTool.java:341)
at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:931)
at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:85)
at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.loadPkcs12CA(CertificateTool.java:340)
at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.getCAInfo(CertificateTool.java:328)
at org.elasticsearch.xpack.security.cli.CertificateTool$GenerateCertificateCommand.execute(CertificateTool.java:684)
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.MultiCommand.execute(MultiCommand.java:77)
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124)
at org.elasticsearch.cli.Command.main(Command.java:90)
at org.elasticsearch.xpack.security.cli.CertificateTool.main(CertificateTool.java:137)

on a side note
I did echo $? right after this command and I got 1

Ok i am trying this on a new machine, this is just weird


(Tim Vernum) #9

13?


(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.