Error creating a new enrollment token

alexus · February 21, 2019, 4:22am

Hello World!

I'm using Elastic Stack 6.6.1 and trying to follow Enroll Beats in central management along with Secrets keystore for secure settings and running into following issue:

# echo changeme | filebeat keystore add ES_PWD --stdin --force
Successfully updated the keystore
# 
# filebeat enroll https://X.X.X:443 --username elastic --password env:ES_PWD
Error creating a new enrollment token: [security_exception] failed to authenticate user [elastic], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }
#

yet, username:password seems to work:

# export ES_PWD=changeme
# curl -s -I https://elastic:$ES_PWD@x.x.x:443 | grep ^HTTP
HTTP/1.1 200 OK
#

Please advise.

steffens · February 21, 2019, 2:26pm

Checking the code, the --password CLI flag only supports stdin and env in 6.6. The env method does not read from the keystore, but expects you to use an environment variable.

alexus · February 21, 2019, 5:54pm

ok, still getting same security_exception:

# ES_PWD=changeme
# filebeat enroll https://X.X.X:443 --username elastic --password env:ES_PWD
Error creating a new enrollment token: [security_exception] failed to authenticate user [elastic], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } }
# curl -s -I https://elastic:$ES_PWD@X.X.X:443 | grep ^HTTP
HTTP/1.1 200 OK
#

yet, following works as expected:

# filebeat enroll https://X.X.X:443 --username elastic --password stdin
Enter password: 
This will replace your current settings. Do you want to continue? [Y/n]:y
Saving a copy of current settings to /etc/filebeat/filebeat.yml.bak
Enrolled and ready to retrieve settings from Kibana
#

pierhugues · February 25, 2019, 3:22pm

When you do ES_PWD=change the environment variable will be only valid for the current command, if precede the command with the variable like in the next example it will correctly take the environment variable:

ES_PWD=changeme filebeat enroll https://X.X.X:443 --username elastic --password env:ES_PWD

But I still think its a bug, we should report that we cannot retrieve the environment variable.

pierhugues · February 25, 2019, 3:49pm

I have created the following PR to give better feedback https://github.com/elastic/beats/pull/10936

system · March 25, 2019, 5:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error while enrolling: empty access_token Beats fleet , filebeat	3	1402	May 10, 2019
Username and password-based enrollment - "environment variable VAR_NAME does not exist" Beats filebeat	3	392	September 22, 2020
Create enrollment for kibana impossible with certificate Lets Encript Elasticsearch elastic-stack-security	4	1303	November 24, 2022
filebeat往Central Management 注册失败后第二次注册会提示empty access_token 中文提问与讨论	1	2945	March 27, 2019
Winlogbeat gives unathorized error when using keystore Beats elastic-stack-security , winlogbeat	3	1161	July 28, 2020

Error creating a new enrollment token

Related topics