ElasticSearch Linux startup failed. Procedure

Elasticsearch has been deployed to Linux and I have encountered a problem with the certificate signing. After following the steps to resolve these problems, I get an exception when I start Elasticsearch. How do I resolve this problem?

</>
uncaught exception in thread [main]
org.Elasticsearch.bootstrap.StartupException: org.Elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/software/es/Elasticsearch-8.0.1/config/certs/elastic-stack-ca.p12] does not contain any trusted certificate entries

</>
org.Elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - the truststore [/usr/software/es/Elasticsearch-8.0.1/config/certs/elastic-stack-ca.p12] does not contain any trusted certificate entries
Likely root cause: org.Elasticsearch.common.ssl.SslConfigException: the truststore [/usr/software/es/Elasticsearch-8.0.1/config/certs/elastic-stack-ca.p12] does not contain any trusted certificate entries

you can follow this doc,get your P12 file, and add it in your Elasticsearch.yml

Thanks for your help. I'll give it a try

You are attempting to use a CA key-pair as a truststore. That doesn't work - the idea of this CA is that it is the key to control your cluster, you usually don't want to have lots of copies of it lying around.

If you follow the docs mentioned above you'll see that the correct setup is:

xpack.security.transport.ssl.truststore.path: elastic-certificates.p12

Why am I prompted with password error after I have configured the path as instructed in the document?

</>
org.Elasticsearch.bootstrap.StartupException: org.Elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/usr/software/es/Elasticsearch-8.0.1/config/certs/elastic-certificates.p12] - this is usually caused by an incorrect password; (a keystore password was provided)
</>

here you need input the password when you set by ./bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

First of all, thank you for your help. I successfully started ElasticSerarch according to your instructions. However, there was an exception when I started ElasticSerarch

I think this is a conf error or file problem,maybe you can follow doc try it all over again

@casterQ Thank you for your comments. I will check them carefully

I followed the instructions on this page:

Set up basic security for the Elastic Stack | Elasticsearch Guide [8.1] | Elastic

via logging into the cline of the already running ES container, and everything went well, except upon restart of the container (I'm running ES in Docker) it says:

  • today at 4:43:00 AMorg.Elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl] - cannot read configured [PKCS12] keystore (as a truststore) [/usr/share/Elasticsearch/config/elastic-certificates.p12] - this is usually caused by an incorrect password; (no password was provided)

I am guessing that for some reason the saving of the password to the stores didn't persist through restart of the container?

I did follow all of the examples for setting up the container and mounted a volume to store data. My entire volumes section in my compose looks like this (you can see the data volume as the 4th mounted volume):

      volumes:
        - '/opt/docker/configs/elasticsearch/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:rw'               # Config
        - '/opt/docker/configs/elasticsearch/config/elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12:rw' # Cert
        - '/mnt/e/Docker/Logs/elasticsearch:/usr/share/elasticsearch/logs:rw'      # Logs
        - '/mnt/e/Docker/Elasticsearch/data:/usr/share/elasticsearch/data:rw'      # Data
        - '/mnt/e/Docker/Elasticsearch/backup:/usr/share/elasticsearch/backup:rw'  # Backup

How does one fix this issue?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.