Elasticsearch-setup-passwords ssl connection issue

security

(Nick) #1

Hello there

I need to change the passwords via the "elasticsearch-setup-passwords" command. It's been working without any problems until I secured my connections with TLS.

Now I get the following error:

SSL connection to https://elasticsearch1:9200/_xpack/security/_authenticate?pretty failed: PKIX path 
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

ERROR: Failed to establish SSL connection to elasticsearch at https://elasticsearch1:9200/_xpack/security/_authenticate?pretty.

I've tried to fix it with this troubleshooting guide but I couldn't fix it.

I would appreciate any advice or hints, thank you in advance!


(Tim Vernum) #2

That guide has the right instructions for fixing this - what exactly did you do?


(Nick) #3

I added the following lines to my elasticsearch.yml:

xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca-chain.crt
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/private.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certificate.crt

My ssl settings now look like this:

xpack.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca-chain.crt
xpack.ssl.key: /usr/share/elasticsearch/config/private.key
xpack.ssl.certificate: /usr/share/elasticsearch/config/certificate.crt
xpack.security.http.ssl.certificate_authorities: /usr/share/elasticsearch/config/ca-chain.crt
xpack.security.http.ssl.key: /usr/share/elasticsearch/config/private.key
xpack.security.http.ssl.certificate: /usr/share/elasticsearch/config/certificate.crt

(Ioannis Kakavas) #4

Hi Nick,

I need to change the passwords via the "elasticsearch-setup-passwords" command. It's been working without any problems until I secured my connections with TLS.

Please note that you can't change the passwords of the built-in users with elasticsearch-setup-passwords once these are already set. See our documentation for more details. If you have run elasticsearch-setup-passwords already, you can change the password using the change password API

If the above is not the case, we can focus on your described issue which looks likely caused by the fact that the ca-chain.crt cannot be used to verify the certificate contained incertificate.crt. Can you share more information on how these were created and whether the certificate.crt is signed with the CA key that corresponds to the certificate in ca-chain.crt?


(Nick) #5

Hi Ioannis

You guys were right, the problem was caused by the ca-chain.crt, I was given an incomplete one.
Now everything is working properly. Thanks for your help!


(system) closed #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.