[ERROR][c.a.o.s.s.DefaultOpenDistroSecurityKeyStore] [example.com] Your keystore or PEM does not contain a key. If you specified a key password, try removing it. If you did not specify a key password, perhaps you need to if the key is in fact password-protected. Maybe you just confused keys and certificates.
Given a machine certificate example.pfx I can extract the key and certificate into two separate files example-certificate.pem example-certificate-key.pem using the below commands from Converting pfx to pem using openssl
Extracts the private key form a PFX to a PEM file:
openssl pkcs12 -in example.pfx -nocerts -out key.pem
Exports the certificate (includes the public key only):
openssl pkcs12 -in example.pfx -clcerts -nokeys -out example-certificate.pem
Removes the password from the extracted private key (Elasticsearch does not support keys on private keys):
openssl rsa -in key.pem -out example-certificate-key.pem
I keep hitting the same error, is there a way I can confirm my pem files are correct or not to narrow down if the error is caused by ElasticSearch, the pem conversion, the pfx files I recieve, or something else?
Elasticsearch requires the private key to be in pkcs8 format.
Convert the extracted key to pkcs8 with
> openssl pkcs8 -in example-certifate-key.pem -topk8 -nocrypt -out example-certificate-key-pkcs8.pem
Welcome to our community!
And thanks heaps for providing your solution!
A few things that I'd like to clarify:
- Elasticsearch does not require pkcs8 format for a private key. The initial error is most likely because you didn't specify the password for the password protected key file (as suggested by the error message). In fact, Both
example-certifate-key.pem and the later
example-certificate-key-pkcs8.pem files should be of pkcs8 format. Just the later is not password protected because you explicilty specified
- The error message shows that you are using OpenDistro for Elasticsearch. It's a different product from the actual Elasticsearch, especially when it comes to security. Therefore, it is possible that it may behave different or doesn't support the same things that we support.
Thanks for clarifying, I will confirm your solution and update our documentation as well the answer here at our next upgrade.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.