Elasticsearch is not starting owing to wrong file permission

Elastic Stack Elasticsearch
1

Hi everyone,

my Elasticsearch instance doesn't start.

Here the logfile's extract:
Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "/opt/cert/elastic-certificates.p12" "read")
at java.security.AccessControlContext.checkPermission(Unknown Source) ~[?:1.8.0_161]
at java.security.AccessController.checkPermission(Unknown Source) ~[?:1.8.0_161]
at java.lang.SecurityManager.checkPermission(Unknown Source) ~[?:1.8.0_161]
at java.lang.SecurityManager.checkRead(Unknown Source) ~[?:1.8.0_161]
at sun.nio.fs.UnixChannelFactory.open(Unknown Source) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(Unknown Source) ~[?:?]
at sun.nio.fs.UnixChannelFactory.newFileChannel(Unknown Source) ~[?:?]
at sun.nio.fs.UnixFileSystemProvider.newByteChannel(Unknown Source) ~[?:?]
at java.nio.file.Files.newByteChannel(Unknown Source) ~[?:1.8.0_161]
at java.nio.file.Files.newByteChannel(Unknown Source) ~[?:1.8.0_161]
at java.nio.file.spi.FileSystemProvider.newInputStream(Unknown Source) ~[?:1.8.0_161]
at java.nio.file.Files.newInputStream(Unknown Source) ~[?:1.8.0_161]
at org.elasticsearch.xpack.core.ssl.CertUtils.readKeyStore(CertUtils.java:273) ~[?:?]
at org.elasticsearch.xpack.core.ssl.CertUtils.trustManager(CertUtils.java:267) ~[?:?]
at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:70) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:412) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:448) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.(SSLService.java:91) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.(XPackPlugin.java:127) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:?]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) ~[?:?]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) ~[?:?]
at java.lang.reflect.Constructor.newInstance(Unknown Source) ~[?:1.8.0_161]
at org.elasticsearch.plugins.PluginsService.loadPlugin(PluginsService.java:534) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.plugins.PluginsService.loadBundle(PluginsService.java:485) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.plugins.PluginsService.loadBundles(PluginsService.java:402) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.plugins.PluginsService.(PluginsService.java:146) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.node.Node.(Node.java:303) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.node.Node.(Node.java:246) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:213) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:213) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:323) ~[elasticsearch-6.2.0.jar:6.2.0]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:121) ~[elasticsearch-6.2.0.jar:6.2.0]
... 6 more

I already changed the permission for /opt/cert/ to 777, but it still doesn't work.

I'm appreciative for any help.

2

This is not about the permissions, but the fact that you need to move the certificates into the config directory of Elasticsearch.

Elasticsearch is using the java security manager on startup, that is configured by a rule, that only allows opening of files in the config directory but not in arbitrary directories.

3 Likes
3

Is there a default config directory?
Because there is no config directory neither in /etc/elasticsearch nor in /usr/share/elasticsearch.

4

The config directory depends on how you installed elasticsearch. /etc/elasticsearch is used when you use a package, but $DIR/config/ is used when you use the tar.gz image.

2 Likes
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.