Elasticsearch: Encrypting HTTP client communications - AccessControlException

Jurilz · November 30, 2020, 10:24am

Good day,

I'm trying to set up Encrypting HTTP client communications and followed 'https://www.elastic.co/guide/en/elasticsearch/reference/7.10/configuring-tls.html#tls-http':

My Elasticsearch Docker Container failes with the error log:

{"type": "server", "timestamp": "2020-11-30T10:00:36,315Z", "level": "INFO", "component": "o.e.e.NodeEnvironment", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "using [1] data paths, mounts [[/usr/share/elasticsearch/data (/dev/vdb)]], net usable_space [74.2gb], net total_space [80gb], types [btrfs]" }
{"type": "server", "timestamp": "2020-11-30T10:00:36,316Z", "level": "INFO", "component": "o.e.e.NodeEnvironment", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "heap size [1gb], compressed ordinary object pointers [true]" }
{"type": "server", "timestamp": "2020-11-30T10:00:36,474Z", "level": "INFO", "component": "o.e.n.Node", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "node name [b3a844564b02], node ID [K_3kZ5TtSsCBR027FEJHAQ], cluster name [docker-cluster], roles [transform, master, remote_cluster_client, data, ml, data_content, data_hot, data_warm, data_cold, ingest]" }
{"type": "deprecation", "timestamp": "2020-11-30T10:00:40,095Z", "level": "DEPRECATION", "component": "o.e.d.c.s.Settings", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "[xpack.security.http.ssl.keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version." }
{"type": "deprecation", "timestamp": "2020-11-30T10:00:40,097Z", "level": "DEPRECATION", "component": "o.e.d.c.s.Settings", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "[xpack.security.transport.ssl.truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version." }
{"type": "deprecation", "timestamp": "2020-11-30T10:00:40,101Z", "level": "DEPRECATION", "component": "o.e.d.c.s.Settings", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "[xpack.security.transport.ssl.keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version." }
{"type": "deprecation", "timestamp": "2020-11-30T10:00:41,717Z", "level": "DEPRECATION", "component": "o.e.d.c.s.Settings", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "[keystore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version." }
{"type": "deprecation", "timestamp": "2020-11-30T10:00:41,719Z", "level": "DEPRECATION", "component": "o.e.d.c.s.Settings", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "[truststore.password] setting was deprecated in Elasticsearch and will be removed in a future release! See the breaking changes documentation for the next major version." }

{"type": "server", "timestamp": "2020-11-30T10:00:41,729Z", "level": "ERROR", "component": "o.e.b.ElasticsearchUncaughtExceptionHandler", "cluster.name": "docker-cluster", "node.name": "b3a844564b02", "message": "uncaught exception in thread [main]", 
"stacktrace": ["org.elasticsearch.bootstrap.StartupException: java.security.AccessControlException: access denied (\"java.io.FilePermission\" \"/usr/share/elaticsearch/config\" \"read\")",
"at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:174) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:161) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:127) ~[elasticsearch-cli-7.10.0.jar:7.10.0]",
"at org.elasticsearch.cli.Command.main(Command.java:90) ~[elasticsearch-cli-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:126) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) ~[elasticsearch-7.10.0.jar:7.10.0]",

"Caused by: java.security.AccessControlException: access denied (\"java.io.FilePermission\" \"/usr/share/elaticsearch/config\" \"read\")",
"at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:?]",
"at java.security.AccessController.checkPermission(AccessController.java:1036) ~[?:?]",
"at java.lang.SecurityManager.checkPermission(SecurityManager.java:408) ~[?:?]",
"at java.lang.SecurityManager.checkRead(SecurityManager.java:747) ~[?:?]",
"at sun.nio.fs.UnixPath.checkRead(UnixPath.java:810) ~[?:?]",
"at sun.nio.fs.UnixFileSystemProvider.exists(UnixFileSystemProvider.java:524) ~[?:?]",
"at java.nio.file.Files.exists(Files.java:2514) ~[?:?]",
"at org.elasticsearch.watcher.FileWatcher$FileObserver.init(FileWatcher.java:158) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.watcher.FileWatcher$FileObserver.access$000(FileWatcher.java:76) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.watcher.FileWatcher.doInit(FileWatcher.java:66) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.watcher.AbstractResourceWatcher.init(AbstractResourceWatcher.java:36) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.watcher.ResourceWatcherService.add(ResourceWatcherService.java:129) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader.startWatching(SSLConfigurationReloader.java:102) ~[?:?]",
"at org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader.<init>(SSLConfigurationReloader.java:46) ~[?:?]",
"at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:454) ~[?:?]",
"at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:288) ~[?:?]",
"at org.elasticsearch.node.Node.lambda$new$15(Node.java:553) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]",
"at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]",
"at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]",
"at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]",
"at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]",
"at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]",
"at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]",
"at org.elasticsearch.node.Node.<init>(Node.java:557) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.node.Node.<init>(Node.java:289) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393) ~[elasticsearch-7.10.0.jar:7.10.0]",
"at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170) ~[elasticsearch-7.10.0.jar:7.10.0]",
"... 6 more"] }
uncaught exception in thread [main]


java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/share/elaticsearch/config" "read")
	at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
	at java.base/java.security.AccessController.checkPermission(AccessController.java:1036)
	at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:408)
	at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:747)
	at java.base/sun.nio.fs.UnixPath.checkRead(UnixPath.java:810)
	at java.base/sun.nio.fs.UnixFileSystemProvider.exists(UnixFileSystemProvider.java:524)
	at java.base/java.nio.file.Files.exists(Files.java:2514)
	at org.elasticsearch.watcher.FileWatcher$FileObserver.init(FileWatcher.java:158)
	at org.elasticsearch.watcher.FileWatcher$FileObserver.access$000(FileWatcher.java:76)
	at org.elasticsearch.watcher.FileWatcher.doInit(FileWatcher.java:66)
	at org.elasticsearch.watcher.AbstractResourceWatcher.init(AbstractResourceWatcher.java:36)
	at org.elasticsearch.watcher.ResourceWatcherService.add(ResourceWatcherService.java:129)
	at org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader.startWatching(SSLConfigurationReloader.java:102)
	at org.elasticsearch.xpack.core.ssl.SSLConfigurationReloader.<init>(SSLConfigurationReloader.java:46)
	at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:454)
	at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:288)
	at org.elasticsearch.node.Node.lambda$new$15(Node.java:553)
	at java.base/java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271)
	at java.base/java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625)
	at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484)
	at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474)
	at java.base/java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913)
	at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
	at java.base/java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578)
	at org.elasticsearch.node.Node.<init>(Node.java:557)
	at org.elasticsearch.node.Node.<init>(Node.java:289)
	at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:227)
	at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:227)
	at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:393)
	at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:170)
	<<<truncated>>>
For complete error details, refer to the log at /usr/share/elasticsearch/logs/docker-cluster.log

My elasticsearch.yml:

cluster.name: "docker-cluster"
network.host: 0.0.0.0
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12

xpack.security.transport.ssl.keystore.password: <pw>
xpack.security.transport.ssl.truststore.password: <pw>

# This turns on SSL for the HTTP (Rest) interface
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /usr/share/elaticsearch/config/http.p12
xpack.security.http.ssl.keystore.password: <pw>

#xpack.security.enabled: false
discovery.type: single-node

The output for ls -halt for the mounted certificates is:

-rwxrwxrwx 1 root         root  3.4K Nov 30 10:49 http.p12
-rwxrwxrwx 1 root         root  3.4K Nov 26 14:04 elastic-certificates.p12
-rwxrwxrwx 1 root         root  2.5K Nov 26 14:03 elastic-stack-ca.p12

The certificates are mounted under:

/usr/share/elasticsearch/config/http.p12
/usr/share/elasticsearch/config/elastic-certificates.p12
/usr/share/elasticsearch/elastic-stack-ca.p12

Unfortunately I'm not able so solve this problem with help of the documentation alone. Therefore I'm looking forward to any help.

warkolm · December 2, 2020, 12:55am

I would suggest moving things to /etc/elasticsearch/ssl or something like that.

Jurilz · December 7, 2020, 12:46pm

Thank you @warkolm for your support.

I made it with these instructions:

But will try again with your tip by hand.

system · January 4, 2021, 12:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.