Error setup passwords

ardue · November 20, 2022, 4:27pm

Hello,
I am currently trying to connect two nodes to make a cluster
Here is the configuration for node1

cluster.name: underpass
node.name: node-01

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: <ip host>
http.port: 9200

discovery.seed_hosts: ["<hostanme local>", "<hostanme node2>"]

xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  key: /etc/elasticsearch/certs/nd /privkey.pem
  certificate: /etc/elasticsearch/certs/nd/fullchain.pem
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: /etc/elasticsearch/certs/nd/privkey.pem
  certificate: /etc/elasticsearch/certs/nd/fullchain.pem

cluster.initial_master_nodes: ["node-01","node-02"]

Here is the configuration for node2

cluster.name: underpass
node.name: node-02

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

network.host: <ip host>
http.port: 9200

discovery.seed_hosts: ["<hostanme local>", "<hostanme node2>"]

xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  key: /etc/elasticsearch/certs/nd /privkey.pem
  certificate: /etc/elasticsearch/certs/nd/fullchain.pem
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: /etc/elasticsearch/certs/nd/privkey.pem
  certificate: /etc/elasticsearch/certs/nd/fullchain.pem

cluster.initial_master_nodes: ["node-01","node-02"]

So I have both nodes communicating, the problem is that I have the kibana_system password so for that I use the command:

/usr/share/elasticsearch/bin/elasticsearch-reset-password --username kibana_system --url https://localhost.fr:9200/

or

/usr/share/elasticsearch/bin/elasticsearch-create-enrollment-token --scope kibana --url https://localhost.fr:9200/

But I have this error

ERROR: Failed to determine the health of the cluster.

RuizMagana · November 21, 2022, 12:07am

Awful... May be any specialist here about it?

stephenb · November 21, 2022, 12:40am

Hi @ardue welcome to the community, apologies for the troubles

1st What version are you on?, there have been significant changes in the setup between 7.x and 8.x. Is your cluster actually running and reachable?

can you curl the the cluster? With the hostname or IP?

curl -v -u elastic https://<localhostorip>:9200

I suspect that will failed with a self signed cert error then you would need to

curl -v -u elastic --cacert /path/to/ca.crt https://<localhostorip>:9200

Always please show the entire commands that you are running and the entire output / messages

Can you add the -v for verbose and provide the full output for the reset password

Also what happens if you use the IP address with -v for the reset password

I also noticed you have an extra space which is probably an issue but may not be this issue
key: /etc/elasticsearch/certs/nd /privkey.pem
................................^

I suspect you have a self signed cert and not only that you created your own not using the automated setup to the certificate is not being validations in version 8.x

Did you look at this?

If your cluster uses TLS/SSL for the HTTP interface but the elasticsearch-setup-passwords command attempts to establish a non-secure connection, use the --url command option to explicitly specify an HTTPS URL. Alternatively, set the xpack.security.http.ssl.enabled setting to true.

If the command does not trust the Elasticsearch server, verify that you configured the xpack.security.http.ssl.certificate_authorities setting or the <!---- I think you need to do this
xpack.security.http.ssl.truststore.path setting.

If hostname verification fails, you can disable this verification by setting xpack.security.http.ssl.verification_mode to certificate.

ardue · November 21, 2022, 6:01pm

I am using version 8

The certificate and made with certbot by letsencrypt

For the curl command I used because the other commands do not work even with the ip of the machine

curl -v -u elastic --cacert /etc/elasticsearch/certs/nd/cert.pem https://<domainename>:9200

Here is the command output:

*   Trying 127.0.1.1:9200...
* Connected to nd1.underpass.fr (127.0.1.1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/elasticsearch/certs/nd /cert.pem
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=<domainename>
*  start date: Nov 18 14:35:22 2022 GMT
*  expire date: Feb 16 14:35:21 2023 GMT
*  subjectAltName: host "<domainename>" matched cert's "<domainename>"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: < domainename>:9200
> Authorization: Basic ZWxhc3RpYzp5NEhnM2IwSmoqcEdhQlNtaUFvbg==
> User-Agent: curl/7.74.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 526
<
{
  "name" : "node-01",
  "cluster_name" : "underpass",
  "cluster_uuid" : "_zxuXi5rT-Kf_-ohfv1JEg",
  "version" : {
    "number" : "8.5.1",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "c1310c45fc534583afe2c1c03046491efba2bba2",
    "build_date" : "2022-11-09T21:02:20.169855900Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.1",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host < domainename > left intact

stephenb · November 21, 2022, 6:21pm

Ok Good... and now please run the other commands with -v so we can see more details.

/usr/share/elasticsearch/bin/elasticsearch-reset-password -v --username kibana_system --url https://localhost.fr:9200/

And then if you add this setting what happens?

ardue · November 21, 2022, 6:37pm

WTF

I tried this command several times it never worked and it did

thanks anyways

stephenb · November 21, 2022, 6:38pm

Cool / Weird! And we all thought code was reproducible!

system · December 19, 2022, 6:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.