So I created the Certificate Authority: bin/elasticsearch-certutil ca
Then I generated the certificate and the private key: bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
Then I configurate elasticsearch.yml: xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/certss/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/certss/elastic-certificates.p12
Then I restarted elasticsearch: systemctl start elasticsearch
But I get these errors:
# sudo tail -f /var/log/elasticsearch/elasticsearch.log
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
...
Caused by: java.lang.reflect.InvocationTargetException
...
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.http.ssl]
...
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/certss/elastic-certificates.p12]
...
Caused by: java.nio.file.AccessDeniedException: /etc/elasticsearch/certss/elastic-certificates.p12
...
This command says that that plugin is installed: # sudo /usr/share/elasticsearch/bin/elasticsearch-plugin install x-pack ERROR: this distribution of Elasticsearch contains X-Pack by default
If you read the error messages carefully, you can see that one is failed to initialize SSL TrustManager - not permitted to read truststore file [/etc/elasticsearch/certss/elastic-certificates.p12] and another is java.nio.file.AccessDeniedException: /etc/elasticsearch/certss/elastic-certificates.p12.
These messages already tell enough. The Elasticsearch process does not have sufficient permission to access the truststore file. Configure the permission accordingly and it should work.
[2019-10-30T10:38:58,146][ERROR][o.e.b.Bootstrap ] [localhost.localdomain] Exception
java.lang.IllegalStateException: failed to load plugin class [org.elasticsearch.xpack.core.XPackPlugin]
....
Caused by: java.lang.reflect.InvocationTargetException
....
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
....
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager
....
Caused by: java.io.IOException: keystore password was incorrect
at
....
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
....
Caused by: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
...
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager
....
Caused by: java.io.IOException: keystore password was incorrect
....
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Then as the error informs you, elastic-certificates.p12 is password protected and you don't configure elasticsearch with the password so it can't decrypt and read it. Read point 3 in the tutorial you followed
If you don't get exactly the same error message, then it probably is better for you to start a new thread, provide your configuration and the exact error message you are getting so that folk can more easily assist you
You have only configured transport layer for TLS, not the http layer ,so you cant access elasticsearch over https with your browser. Go back to the tutorial you are reading, it's all there
I tryed to change the password too but I get this:
$ sudo bin/elasticsearch-setup-passwords interactive
[sudo] password di emiliano:
SSL connection to https://127.0.0.1:9200/_security/_authenticate?pretty failed: No subject alternative names present
Please check the elasticsearch SSL settings under xpack.security.http.ssl.
ERROR: Failed to establish SSL connection to elasticsearch at https://127.0.0.1:9200/_security/_authenticate?pretty.
Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.
Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.
It would be great if you could update your post to solve this.
There hasn't been a default password for a few releases now:
The certificate you are using for TLS in the http layer, doesn't contain a SAN with the hostname or the IP address of the node (localhost) where elasticserach is running so elasticsearch-setup-passwords can't securely connect to it.
You can either:
Generate a new certificate and key in a new keystore for the http layer, using --dns or --ip as described in the blog you are following and use that for xpack.security.http.ssl.keystore.path and xpack.security.http.ssl.truststore.path
Set xpack.security.http.ssl.enabled: false
Restart elasticsearch
Run bin/elasticsearch-setup-passwords interactive again
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
