Elasticsearch failed start when enable x-pack security

first thing first, i just create ssl/tls certificate using Elasticsearch-certutil cert and then i created this configuration into bottom Elasticsearch.yml

#xpack

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/etc/elasticsearch/http.p12"

but i got error like this

org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:548) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1421) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1553) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:544) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:145) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:525) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:338) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$18(Node.java:736) ~[elasticsearch-7.17.1.jar:7.17.1]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:509) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499) ~[?:?]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:921) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
        at org.elasticsearch.node.Node.<init>(Node.java:750) ~[elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.node.Node.<init>(Node.java:309) ~[elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:234) ~[elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:234) ~[elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:434) [elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:166) [elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:157) [elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:77) [elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) [elasticsearch-cli-7.17.1.jar:7.17.1]
        at org.elasticsearch.cli.Command.main(Command.java:77) [elasticsearch-cli-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:122) [elasticsearch-7.17.1.jar:7.17.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80) [elasticsearch-7.17.1.jar:7.17.1]
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL KeyManager
        at org.elasticsearch.xpack.core.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:93) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:454) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:546) ~[?:?]
        ... 26 more
Caused by: java.io.IOException: keystore password was incorrect
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1473) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:99) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:83) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:454) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:546) ~[?:?]
        ... 26 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1473) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:99) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreKeyConfig.createKeyManager(StoreKeyConfig.java:83) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:454) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1220) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:546) ~[?:?]

please help, what's wrong with my configuration

Can you check that?

Sorry, that error message isn't very helpful. I thought we had fixed that - I'll need to look into why it didn't give you better information.

You need to put together these pieces:

org.elasticsearch.ElasticsearchSecurityException: 
  failed to load SSL configuration [xpack.security.transport.ssl]

Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL KeyManager

Caused by: java.io.IOException: keystore password was incorrect

You have a problem with the keystore you are using here:

Whatever password you have configured (which might be none) is incorrect
Check

bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password

If that setting doesn't exist, then it looks like you need one.
If it does exist, it looks like it's wrong.

where to check?

it exist. btw how i can see the password all my .p12 that i made?

You can't.
Once you've set a password on a PKCS#12 file you have to remember it - there is no way to recover it later.

If you no longer know what password you entered for those files, then you will need to re-generate them.

aaaah i see. so what's wrong with my config?

The password that is shown by this command:

bin/elasticsearch-keystore show xpack.security.transport.ssl.keystore.secure_password

is not the correct password for this file:

elastic-certificates.p12

I cannot tell you what the correct password is.
Maybe you don't have a password.
Maybe you entered the password incorrectly.
I cannot offer you any more information than what I've already given you - the password is wrong.

You can check the password by using keytool command like this:
keytool -v -list -keystore elastic-certificates.p12

but please put the proper path to keystore file elastic-certificates.p12.

how to change password elastic-certificates.p12?

I think that you can not change the password of keystore if you don't know the current password.

hi Daniel, what should i do to create https/tls from beginning again?

Hi @alipujaistopo,

I think if you don't know the current password you should prepare once again the certs/keystore and replace the certs/keystore. It should be enough.

Best Regards,
Dan

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.