I have 3 nodes , in that 1 is master node and 2 are child node , while enable ssl and tsl certificate i am getting an error : below is the error.
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
at org.elasticsearch.node.Node.(Node.java:571) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.node.Node.(Node.java:278) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:217) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) [elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) [elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) [elasticsearch-cli-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.Command.main(Command.java:79) [elasticsearch-cli-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) [elasticsearch-7.12.1.jar:7.12.1]
[2022-11-21T05:35:55,721][ERROR][o.e.b.ElasticsearchUncaughtExceptionHandler] [node1] uncaught exception in thread [main]
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: you cannot specify a keystore and key file
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) ~[elasticsearch-cli-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.Command.main(Command.java:79) ~[elasticsearch-cli-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) ~[elasticsearch-7.12.1.jar:7.12.1]
Caused by: java.lang.IllegalArgumentException: you cannot specify a keystore and key file
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.createKeyConfig(CertParsingUtils.java:223) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:159) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:52) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$getSSLConfigurations$4(SSLService.java:504) ~[?:?]
at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.getSSLConfigurations(SSLService.java:499) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:459) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:292) ~[?:?]
at org.elasticsearch.node.Node.lambda$new$17(Node.java:567) ~[elasticsearch-7.12.1.jar:7.12.1]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
at org.elasticsearch.node.Node.(Node.java:571) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.node.Node.(Node.java:278) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:217) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.12.1.jar:7.12.1]
I have commented bellow two lines #xpack.security.http.ssl.keystore.path: http.p12 #xpack.security.http.ssl.key: certs/node1.key
Still i am getting the below error
org.elasticsearch.bootstrap.StartupException: java.lang.IllegalArgumentException: you cannot specify a keystore and key file
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:163) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:75) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:116) ~[elasticsearch-cli-7.12.1.jar:7.12.1]
at org.elasticsearch.cli.Command.main(Command.java:79) ~[elasticsearch-cli-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:81) ~[elasticsearch-7.12.1.jar:7.12.1]
Caused by: java.lang.IllegalArgumentException: you cannot specify a keystore and key file
at org.elasticsearch.xpack.core.ssl.CertParsingUtils.createKeyConfig(CertParsingUtils.java:223) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.createKeyConfig(SSLConfiguration.java:159) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLConfiguration.(SSLConfiguration.java:52) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.lambda$getSSLConfigurations$4(SSLService.java:504) ~[?:?]
at java.util.HashMap.forEach(HashMap.java:1425) ~[?:?]
at java.util.Collections$UnmodifiableMap.forEach(Collections.java:1521) ~[?:?]
at org.elasticsearch.xpack.core.ssl.SSLService.getSSLConfigurations(SSLService.java:499) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createSSLService(XPackPlugin.java:459) ~[?:?]
at org.elasticsearch.xpack.core.XPackPlugin.createComponents(XPackPlugin.java:292) ~[?:?]
at org.elasticsearch.node.Node.lambda$new$17(Node.java:567) ~[elasticsearch-7.12.1.jar:7.12.1]
at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:273) ~[?:?]
at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1625) ~[?:?]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) ~[?:?]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) ~[?:?]
at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) ~[?:?]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:?]
at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:682) ~[?:?]
at org.elasticsearch.node.Node.(Node.java:571) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.node.Node.(Node.java:278) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap$5.(Bootstrap.java:217) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:217) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:397) ~[elasticsearch-7.12.1.jar:7.12.1]
at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-7.12.1.jar:7.12.1]
I tried starting 7.12.1 with your config. I had to tweak the settings, and I added some comments. I got past the error you saw using elasticsearch.yml and elasticsearch-keystore similar to this.
elasticsearch.yml example outline (change the file paths)
cluster.name: elk
bootstrap.memory_lock: true
xpack.security.enabled: true
xpack.monitoring.collection.enabled: true
# Transport/TLS protocol settings
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
# Transport key/cert settings, do not mix with keystore/truststore settings due to overlap
xpack.security.transport.ssl.key: ~/example/elasticsearch-7.12.1/config/certs/transport-node1.key
xpack.security.transport.ssl.certificate: ~/example/elasticsearch-7.12.1/config/certs/transport-node1.crt
xpack.security.transport.ssl.certificate_authorities: [ ~/example/elasticsearch-7.12.1/config/certs/transport-ca.crt ]
# Transport keystore/truststore settings, do not mix with key/cert settings due to overlap
#xpack.security.transport.ssl.keystore.path: ~/example/elasticsearch-7.12.1/config/certs/transport-node1-keystore.p12
#xpack.security.transport.ssl.truststore.path: ~/example/elasticsearch-7.12.1/config/certs/transport-node1-truststore.p12
# HTTPS protocol settings
xpack.security.http.ssl.enabled: true
# HTTP key/cert settings, do not mix with Keystore/Truststore settings due to overlap
xpack.security.http.ssl.key: ~/example/elasticsearch-7.12.1/config/certs/http-node1.key
xpack.security.http.ssl.certificate: ~/example/elasticsearch-7.12.1/config/certs/http-node1.crt
xpack.security.http.ssl.certificate_authorities: [ ~/example/elasticsearch-7.12.1/config/certs/http-ca.crt ]
# HTTP keystore/truststore settings, do not mix with key/cert settings due to overlap
#xpack.security.http.ssl.keystore.path: ~/example/elasticsearch-7.12.1/config/certs/http-node1-keystore.p12
#xpack.security.http.ssl.truststore.path: ~/example/elasticsearch-7.12.1/config/certs/http-node1-truststore.p12
elasticsearch-keystore example commands (change the passwords)
bin/elasticsearch-keystore create
# Only use these settings if you chose key/cert settings in elasticsearch.yml
#echo "HTTP-PrivateKey-Password" | bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase
#echo "Transport-PrivateKey-Password" | bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase
# Only use these settings if you chose keystore/truststore settings in elasticsearch.yml
echo "HTTP-Keystore-Password" | bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
echo "HTTP-Truststore-Password" | bin/elasticsearch-keystore add xpack.security.http.ssl.truststore.secure_password
echo "Transport-Keystore-Password" | bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
echo "Transport-Truststore-Password" | bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
I have generated crt.pem and key.pem by using the below command
openssl pkcs12 -in elastic-certificates.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in elastic-certificates.p12 -out newfile.key.pem -nocerts -nodes
But for ssl.certificate_authorities i need to generate ca.crt for filebeat
Could you please help me with command to install ca.crt
I have created cluster and enable ssl and tsl certificate for 7.12.1 version and i am getting below error while generating password:
[root@testing-elk1 ~]# tail -n 50 /var/log/elasticsearch/my-application.log
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:99 ) ~[elasticsearch-ssl-config-7.12.1.jar:7.12.1]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1 335) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.ja va:1232) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?: ?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199) ~[?:?]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.49.Fin al.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.49.Final. jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.49.Final.jar:4.1.49. Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.49.Fina l.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.49.Final.jar:4.1.49. Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java: 501) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4 .1.49.Final.jar:4.1.49.Final]
... 16 more
Caused by: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:158) ~[?:?]
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84) ~[ ?:?]
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:309) ~[?:?]
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364) ~[?:?]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275) ~[?:?]
at sun.security.validator.Validator.validate(Validator.java:264) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285) ~[?:?]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144) ~[?:?]
at org.elasticsearch.common.ssl.DiagnosticTrustManager.checkServerTrusted(DiagnosticTrustManager.java:99 ) ~[elasticsearch-ssl-config-7.12.1.jar:7.12.1]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1 335) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.ja va:1232) ~[?:?]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) ~[?: ?]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1267) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1254) ~[?:?]
at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1199) ~[?:?]
at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-handler-4.1.49.Fin al.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-handler-4.1.49.Final. jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-handler-4.1.49.Final.jar:4.1.49. Final]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-handler-4.1.49.Fina l.jar:4.1.49.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-handler-4.1.49.Final.jar:4.1.49. Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java: 501) ~[netty-codec-4.1.49.Final.jar:4.1.49.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-codec-4 .1.49.Final.jar:4.1.49.Final]
... 16 more
[2022-11-29T16:08:10,682][WARN ][o.e.x.c.s.t.n.SecurityNetty4Transport] [node-1] client did not trust this serve r's certificate, closing connection Netty4TcpChannel{localAddress=/172.16.0.122:9300, remoteAddress=/172.16.0.12 3:48720, profile=default}
It is recommended that you resolve the issues with your cluster before running elasticsearch-setup-passwords.
It is very likely that the password changes will fail when run against an unhealthy cluster.
Do you want to continue with the password setup process [y/N]y
Initiating the setup of passwords for reserved users elastic,apm_system,kibana,kibana_system,logstash_system,beats_system,remote_monitoring_user.
You will be prompted to enter passwords as the process progresses.
Please confirm that you would like to continue [y/N]y
Enter password for [elastic]:
Reenter password for [elastic]:
Enter password for [apm_system]:
Reenter password for [apm_system]:
Enter password for [kibana_system]:
Reenter password for [kibana_system]:
Enter password for [logstash_system]:
Reenter password for [logstash_system]:
Enter password for [beats_system]:
Reenter password for [beats_system]:
Enter password for [remote_monitoring_user]:
Reenter password for [remote_monitoring_user]:
This is a general PKIX error about configuration of a truststore. Is it possible you created the three node P12s with elasticsearch-certutil without adding the --ca-dn and -pass parameters?
There are a lot of ways to set up CAs, but I can give you a specific example. One way is to create a CA P12 first, and then use it to create three Node P12s which are signed by that CA. If you do that, you should be able to use the three P12s in your nodes as a dual keystore and truststore.
If you fix the cluster member certs to trust each other, the cluster membership errors will go away, and the cluster state error will disappear because your cluster will have a quorum (i.e. minimum 2 out of 3 nodes are running and connected).
There are a lot of ways to set up CAs. For manual setup, I personally like to create a CA per cluster just for Transport certs (i.e. cluster membership), and use a different (i.e. public) CA for issuing HTTPS certs.
This example creates crt/key files for each node, signed by a CA key/crt.
For clarification, it is fine to use your current version 7.12.1 or a newer version 8.5.1 to generate certs for your 7.12.1 deployment. Sometimes it is desirable to use a newer elasticsearch-certutil if it supports any convenient, newer parameters.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.