Elasticsearch TSL configuration issue

Following list of instructions here after configuring the basic security: Set up basic security for the Elastic Stack | Elasticsearch Guide [7.16] | Elastic

Instead of ./bin, I am doing /usr/share/Elasticsearch/bin ... as I installed on a CentOS machine. When I restart Elasticsearch, I receive the following error:

org.elasticsearch.bootstrap.StartupException: ElasticsearchSecurityException[failed to load SSL configuration [xpack.security.transport.ssl]]; nested: ElasticsearchException[failed to initialize SSL TrustManager - access to read truststore file [/usr/share/elasticsearch/elasticsearch/elastic-certificates.p12] is blocked; SSL resources should be placed in the [/etc/elasticsearch] directory]; nested: AccessControlException[access denied ("java.io.FilePermission" "/usr/share/elasticsearch/elasticsearch/elastic-certificates.p12" "read")];

So I went ahead and moved elastic-certificate.p12 and elastic-stack-ca.p12 to the /etc/Elasticsearch directory.

I then receive the following error:

failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/elastic-certificates.p12]

Is this issue because I loaded the elastic certificates incorrectly? How do I, by default, load them into /etc/Elasticsearch?

The reason that the commands are ./bin is because it expects you to be in /etc/elasticsearch and then creates the files in the paths with the right permissions it needs.

What are the permissions on the certificates?

@warkolm here are the permissions (in usr/share/Elasticsearch):
-rw------- 1 root root 3596 Dec 16 15:43 elastic-certificates.p12
-rw------- 1 root root 2672 Dec 16 15:41 elastic-stack-ca.p12

How would I go about creating the files in the right path?

sudo cp /usr/share/elasticsearch/*.p12 /etc/elasticsearch/.
sudo chmod 644 /etc/elasticsearch/*.p12

Perfect, thanks @stephenb! Everything works now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.