Error changing certificate in Elasticsearch

jorge.visentini · May 1, 2022, 3:35pm

I'm trying to change Elasticsearch SSL certificates but I'm getting some errors and it's not starting.

I would like to change the CA and certificate to one generated by me, which I use for testing, to learn how to change the certificate.

1 - I created a PEM type CA certificate with an encrypted key.
2 - I created a PEM type certificate with an encrypted key.
3 - I signed this certificate with the CA.
4 - The password used in encryption is linux123456 (for testing)
6 - I generated the keystore with the KeyStore Explorer app, using the same password "linux123456".
7 - I changed the password stored in xpack.security.http.ssl.keystore.secure_password to "linux123456"
8 - Replaces the original http.p12 file with my http.p12 keystore.

When I start Elasticsearch I get the following error:

systemd[1]: Starting Elasticsearch...
systemd-entrypoint[10800]: uncaught exception in thread [main]
systemd-entrypoint[10800]: org.elasticsearch.ElasticsearchSecurityException: failed to load SSL configuration [xpack.security.http.ssl] - cannot load [PKCS12] keystore from [/etc/elasticsearch/certs/http.p12] due to UnrecoverableKeyException (Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.); this is usually caused by an incorrect key-password (we tried to access the key using the same password as the keystore)
systemd-entrypoint[10800]: Likely root cause: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

I'm using Elasticsearch 8.1.3 on AlmaLinux 8.5.

Any tips that can help me?

spinscale · May 2, 2022, 7:41am

Can you try to remove the keystore explorer app from this equation and generate those files using the ./bin/elasticsearch-keystore command? See elasticsearch-keystore | Elasticsearch Guide [8.1] | Elastic

TimV · May 2, 2022, 7:46am

PKCS#12 keystores have two different passwords. One for the keystore itself, and another one for each entry inside the keystore.
It's common to use the same password for both of those, and a lot of tooling (including Elasticsearch) defaults to assuming that your keystore, and your key-entry will have the same password.
That's what we've tried to do here

(we tried to access the key using the same password as the keystore)

But if looks like your keystore has a different password for the key-itself and the keystore.

We don't provide support for KeyStore Explorer, but it looks like the way in which you created that keystore has applied different passwords.

jorge.visentini · May 2, 2022, 2:29pm

yes... yes...

I had not understood that the keystore has 2 passwords.
Now it worked just fine.

Thanks!!

system · May 30, 2022, 2:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.