Elasticsearch wont start after implementing TLS

Hi all,
I have a bit of a problem. I implemented TLS im my stack as per the instructions.
Hoewever - now elasticsearch wont start, and it's throwing this exception:

java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available

Im using openjdk 11.0.11
what should i do?

thanks

Based on the JDK issue, the support for HmacPBESHA256 starts from JDK 11.0.12

So one option is to upgrade your JDK. Which elasticsearch version are you using? Also are you using the bundled JDK? It is recommended.

I use ES 7.13, and i think i dont use the bundled JDK.
Will using the bundled JDK solve this? if so, how do i change to it?
meanwhile i am trying to upgrade my JDK, which proves to be more bothersome than anticipated

The current recommend way for 7.12+ is to set a ES_JAVA_HOME environment variable to point to the bundled JDK (you can find it under your eliastcsearch installation directory). Alternatively, you can just unset JAVA_HOME which makes elasticsearch use the bundle JDK by default.

is the ES_JAVA_HOME variable part of the elasticseach user enviroment? because i dont see it when i run printenv

Ohh right I need to set the ES_JAVA_HOME
OK ill do it

Ok so Iv'e created ES_JAVA_HOME and pointed it to the bundled JDK and did an unset for JAVA_HOME but the problem persists

Any help would be appreciated

It would be helpful to diagnose the problem if you can share the elasticsearch logs from booting all the way up leading to the error.

1 Like

Hi,
here is the log(minus the module loading messages due to character count):

[2021-08-03T17:04:49,418][INFO ][o.e.n.Node               ] [mvs-es04] version[7.13.2], pid[11572], build[default/deb/4d960a0733be83dd2543ca018aa4ddc42e956800/2021-06-10T21:01:55.251515791Z], OS[Linux/4.15.0-151-generic/amd64], JVM[Ubuntu/OpenJDK 64-Bit Server VM/11.0.11/11.0.11+9-Ubuntu-0ubuntu2.18.04]
[2021-08-03T17:04:49,423][INFO ][o.e.n.Node               ] [mvs-es04] JVM home [/usr/lib/jvm/java-11-openjdk-amd64], using bundled JDK [false]
[2021-08-03T17:04:49,423][INFO ][o.e.n.Node               ] [mvs-es04] JVM arguments [-Xshare:auto, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dio.netty.allocator.numDirectArenas=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.locale.providers=SPI,COMPAT, --add-opens=java.base/java.io=ALL-UNNAMED, -Xms15g, -Xmx15g, -XX:+UseConcMarkSweepGC, -XX:CMSInitiatingOccupancyFraction=75, -XX:+UseCMSInitiatingOccupancyOnly, -Des.networkaddress.cache.ttl=60, -Des.networkaddress.cache.negative.ttl=10, -XX:+AlwaysPreTouch, -Xss1m, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djna.nosys=true, -XX:-OmitStackTraceInFastThrow, -Dio.netty.noUnsafe=true, -Dio.netty.noKeySetOptimization=true, -Dio.netty.recycler.maxCapacityPerThread=0, -Dlog4j.shutdownHookEnabled=false, -Dlog4j2.disable.jmx=true, -Djava.io.tmpdir=/tmp/elasticsearch-1294293600820470431, -XX:+HeapDumpOnOutOfMemoryError, -XX:HeapDumpPath=/var/lib/elasticsearch, -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log, -Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m, -Djava.locale.providers=COMPAT, -XX:UseAVX=2, -XX:MaxDirectMemorySize=8053063680, -Des.path.home=/usr/share/elasticsearch, -Des.path.conf=/etc/elasticsearch, -Des.distribution.flavor=default, -Des.distribution.type=deb, -Des.bundled_jdk=true]
[2021-08-03T17:04:53,617][INFO ][o.e.e.NodeEnvironment    ] [mvs-es04] using [1] data paths, mounts [[/ (/dev/sda1)]], net usable_space [68gb], net total_space [78.6gb], types [ext4]
[2021-08-03T17:04:53,618][INFO ][o.e.e.NodeEnvironment    ] [mvs-es04] heap size [14.9gb], compressed ordinary object pointers [true]
[2021-08-03T17:04:54,418][INFO ][o.e.n.Node               ] [mvs-es04] node name [mvs-es04], node ID [ZtBmYN-qRiewI_tF9brDaQ], cluster name [SIEM_CLUSTER], roles [master, remote_cluster_client, ml, ingest]
[2021-08-03T17:05:00,996][ERROR][o.e.b.Bootstrap          ] [mvs-es04] Exception
org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.transport.ssl]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:530) ~[?:?]
        at java.util.HashMap.forEach(HashMap.java:1336) ~[?:?]
        at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1505) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.loadSSLConfigurations(SSLService.java:526) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.<init>(SSLService.java:144) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:454) ~[?:?]
        at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:298) ~[?:?]
        at org.elasticsearch.node.Node.lambda$new$18(Node.java:605) ~[elasticsearch-7.13.2.jar:7.13.2]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) ~[?:?]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1655) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) ~[?:?]
        at org.elasticsearch.node.Node.<init>(Node.java:609) ~[elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.node.Node.<init>(Node.java:278) ~[elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:217) ~[elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) [elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) [elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) [elasticsearch-cli-7.13.2.jar:7.13.2]
        at org.elasticsearch.cli.Command.main(Command.java:79) [elasticsearch-cli-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.13.2.jar:7.13.2]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) [elasticsearch-7.13.2.jar:7.13.2]
Caused by: org.elasticsearch.ElasticsearchException: failed to initialize SSL TrustManager
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:75) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        ... 26 more
Caused by: java.io.IOException: Integrity check failed: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2167) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1479) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:98) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:66) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        ... 26 more
Caused by: java.security.NoSuchAlgorithmException: Algorithm HmacPBESHA256 not available
        at javax.crypto.Mac.getInstance(Mac.java:191) ~[?:?]
        at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2145) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:222) ~[?:?]
        at java.security.KeyStore.load(KeyStore.java:1479) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.TrustConfig.getStore(TrustConfig.java:98) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.StoreTrustConfig.createTrustManager(StoreTrustConfig.java:66) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.createSslContext(SSLService.java:439) ~[?:?]
        at java.util.HashMap.computeIfAbsent(HashMap.java:1133) ~[?:?]
        at org.elasticsearch.xpack.core.ssl.SSLService.lambda$loadSSLConfigurations$5(SSLService.java:528) ~[?:?]
        ... 26 more

Whatever steps you took to switch to the bundled JVM didn't work.
You're still using 11.0.11

Without knowing your environment it's hard to give concrete steps to resolve that, but this is where you need to focus your attention. This issue should be resolved if we can get you on to the bundled JDK.

I managed to change to the bundled JVM
turns out i had an enviroment file in /etc/defualt that pointeed to the 11.0.11
Changed it and im good to go
Well, on the elasticsearch side, now I need to figure out how to reconnect kibana
thanks for the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.