ElasticSearch with SSL?

Hello, I am trying to configure elasticsearch with SSL, but I get these error,

I followed this tutorial:
https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-tls.html

So I created the Certificate Authority:
bin/elasticsearch-certutil ca

Then I generated the certificate and the private key:
bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12

Then I configurate elasticsearch.yml:
xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certss/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certss/elastic-certificates.p12

Then I restarted elasticsearch:
systemctl start elasticsearch

But I get these errors:

# sudo tail -f /var/log/elasticsearch/elasticsearch.log
    java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
    ...
    Caused by: java.lang.reflect.InvocationTargetException
    ...
    Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.http.ssl]
    ...
    Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/certss/elastic-certificates.p12]
    ...
    Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/certss/elastic-certificates.p12
    ...

This command says that that plugin is installed:
# sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack
ERROR: this distribution of Elasticsearch contains X-Pack by default

Any idea?

1 Like

Hi, I am encountering the same issue with elasticsearch 7.4.0 - in case you solved it I am interested to learn now, thanks

Hi @xemyleex

If you read the error messages carefully, you can see that one is failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/certss/elastic-certificates.p12] and another is java.nio.file.AccessDeniedException: /etc/elasticsearch/certss/elastic-certificates.p12.

These messages already tell enough. The Elasticsearch process does not have sufficient permission to access the truststore file. Configure the permission accordingly and it should work.

Hope this helps.

Ok thanks, but now I get this error:

[2019-10-30T10:38:58,146][ERROR][o.e.b.Bootstrap          ] [localhost.localdomain] Exception
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]

....

Caused by: java.lang.reflect.InvocationTargetException

....

Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]

....

Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager

....

Caused by: java.io.IOException: keystore password was incorrect
	at 

....

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

....

Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]

...

Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager

....

Caused by: java.io.IOException: keystore password was incorrect

....

Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

Then as the error informs you, elastic-certificates.p12 is password protected and you don't configure elasticsearch with the password so it can't decrypt and read it. Read point 3 in the tutorial you followed

If you don't get exactly the same error message, then it probably is better for you to start a new thread, provide your configuration and the exact error message you are getting so that folk can more easily assist you

Ok now it works thanks :slight_smile:
Last question:
If I try to open this page in the browser:
https://localhost:9200

Then I get this error:
ssl_error_rx_record_too_long

Why?

You have only configured transport layer for TLS, not the http layer ,so you cant access elasticsearch over https with your browser. Go back to the tutorial you are reading, it's all there :slight_smile:

1 Like

Thanks so much. I have last question :slight_smile:
I tryed to open this page in the browser:
https://localhost:9200
And I get this:

So I tryed to insert the default username and password:

elastic
changeme

But it doesn't work because I get "failed to authenticate user [elastic]":

I tryed to change the password too but I get this:

$ sudo bin/elasticsearch-setup-passwords interactive
[sudo] password di emiliano: 

SSL connection to https://127.0.0.1:9200/_security/_authenticate?pretty failed: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.

ERROR: Failed to establish SSL connection to elasticsearch at https://127.0.0.1:9200/_security/_authenticate?pretty. 

This is my elasticsearch.yml ssl setting:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path:  /etc/elasticsearch/certss/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certss/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/certss/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/certss/elastic-certificates.p12

Any idea?

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Done :slight_smile:

There hasn't been a default password for a few releases now:

The certificate you are using for TLS in the http layer, doesn't contain a SAN with the hostname or the IP address of the node (localhost) where elasticserach is running so elasticsearch-setup-passwords can't securely connect to it.

You can either:

  • Generate a new certificate and key in a new keystore for the http layer, using --dns or --ip as described in the blog you are following and use that for xpack.security.http.ssl.keystore.path and xpack.security.http.ssl.truststore.path

    1. Set xpack.security.http.ssl.enabled: false
    2. Restart elasticsearch
    3. Run bin/elasticsearch-setup-passwords interactive again
    4. Set xpack.security.http.ssl.enabled: true
    5. Restart elasticsearch
2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.